Home / malware

PDF

Virus:Win32/Bamital.A

First posted on 13 July 2010.
Source: SecurityHome

Aliases :

Virus:Win32/Bamital.A is also known as W32/Patched-J (Sophos).

Explanation :

Virus:Win32/Bamital.A is a detection for patched versions of system DLLs first modified by TrojanDropper:Win32/Bamital.G.
Top

Virus:Win32/Bamital.A is a detection for modified versions of system DLLs first modified by TrojanDropper:Win32/Bamital.G. Installation TrojanDropper:Win32/Bamital.G only modifies the system DLLs listed below, located in the %System% directory and in %System%\dllcache:

user32.dll

ws2_32.dll

ws2help.dll

Note: %System% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. DLLs detected as Virus:Win32/Bamital.A are modified in the following way:

A marker is added in the files header to avoid re-infection

Code is inserted at the file's entry point. This code loads another file, hlp.dat, that is also dropped in the %System% directory
Note: hlp.dat is responsible for most of TrojanDropper:Win32/Bamital.G€™s payload

For more information on Virus:Win32/Bamital.A's related components, see TrojanDropper:Win32/Bamital.G elsewhere in the encyclopedia.

Analysis by Amir Fouda

Last update 13 July 2010

 

TOP