Home / malware

PDF

Trojan:Win32/Bamital.A

First posted on 15 December 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Bamital.A is also known as Backdoor.Win32.Agent.andi (Kaspersky), Trojan.Bamital.Gen (VirusBuster), Win32/Agent.QJM (ESET).

Explanation :

Trojan:Win32/Bamital.A is a trojan often installed by other malware. It monitors and modifies Web search queries and displays advertisements. It is triggered when the browser is Internet Explorer, Opera, Firefox, Chrome, or Safari.
Top

Trojan:Win32/Bamital.A is a trojan often installed by other malware. It monitors and modifies Web search queries and displays advertisements. It is triggered when the browser is Internet Explorer, Opera, Firefox, Chrome, or Safari. InstallationTrojan:Win32/Bamital.A may arrive in the system with the following file names in the Windows system folder:

curslib.dll

kbdnet.dll

mscert.dll

msnetlib.dll

rdolib.dll

wincert.dll

winuid.dll

Payload Modifies browsing behaviorTrojan:Win32/Bamital.A patches and redirects the following functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements:

recv

WSASend

WSARecv

send

closesocket

WSAAsyncSelect

Connects to a remote serverWin32/Bamital.A may also send and download additional information from the following Web servers:

mynewworldorder.cn

search-nows.cn

wonder-how.cn

world1domination.co.cc

Analysis by Jireh Sanico

Last update 15 December 2009

 

TOP