Virus:Win32/Bamital.Q is the detection for Windows system files infected by another member of the Win32/Bamital family. It infects certain Windows files.
Virus:Win32/Bamital.Q drops its copies as the following files:
%UserProfile%\Local Settings\Application Data\MicrosoftNT\winserver.exe
It changes the Windows Startup folder by modifying the following registry entry, ensuring that the malware runs at every Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Sets value: "Startup"
With Data: "%UserProfile%\Local Settings\Application Data\MicrosoftNT"
Virus:Win32/Bamital.Q creates the following mutexes to ensure that only a single copy of itself is running:
It also creates the following registry keys, into which it writes information such as timestamps and data received from remote servers:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
Virus:Win32/Bamital.Q infects the following Windows files:
It creates copies of these files prior to infection, then renames them:
- copy of %SystemRoot%\dllcache\explorer.exe
- copy of %SystemRoot%\dllcache\svchost.exe
- copy of %SystemRoot%\dllcache\winlogon.exe
- copy of %SystemRoot%\user32.dll
Virus:Win32/Bamital.Q has the ability to inject code into other system processes.
Disables system settings
Virus:Win32/Bamital.Q disables System Restore by modifying the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Deletes value: "DisableSR"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\sr\Parameters
Sets value: "DisableSR"
With data: "1"
Connects to remote server
Virus:Win32/Bamital.Q sends HTTP requests to "google.com" every five seconds, until it receives a successful response. It then extracts the current date from the HTTP response.
It uses the current date to generate several domains. For instance, the domains generated for the 26th of January 2012 are:
Virus:Win32/Bamital.Q sends another HTTP request to one of these domains to ask for further instructions.
Analysis by Horea Coroiu