Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Bamital.AN
|
Short description
Win32/Bamital.AN is a trojan that redirects results of online search engines to web sites that contain adware. It uses techniques common for rootkits.Installation
When executed, the trojan creates the following files:- %appdata%Windows Serveretcsdb.dll (3072 B)
- %templates%memory.tmp (37888 B)
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
Session ManagerAppCertDlls]
"AppSecDll" = "%appdata%Windows Serveretcsdb.dll"
- %appdata%Windows Serveretcsdb.dll
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
SystemRestore]
"DisableSR" = %value%
Other information
The trojan can redirect results of online search engines to web sites that contain adware.The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of URLs. The HTTP protocol is used.
The trojan hooks the following Windows APIs:
- recv (ws2_32.dll)
- WSASend (ws2_32.dll)
- WSARecv (ws2_32.dll)
- send (ws2_32.dll)
- closesocket (ws2_32.dll)
- NtClose (ntdll.dll)
- recv (ws2_32.dll)
- WSASend (ws2_32.dll)
- WSARecv (ws2_32.dll)
- send (ws2_32.dll)
- closesocket (ws2_32.dll)
- NtClose (ntdll.dll)
- WaitForSingleObject (kernel32.dll)
- CreateProcessInternalW (kernel32.dll)
- config.data
- worker.info
- temp.ini
- thread.xml
- user32.dll
- conf.dat
- config.data
- worker.info
- temp.ini
- thread.xml
- user32.dll
- conf.dat
- work.dat
- twin.dat
- uses32.dat
- flags.ini
- [HKEY_CURRENT_USERSoftwarehxyzetcsdb]
"hxyzetcsdb" = %hex_value%
"Run" = "%variable1%"
"ID" = "%variable2%"
"TimeGetWork" = "%variable3%"
