Analysis by: Erika Mendoza
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This file infector searches for files in %System%\dllcache and %System%. Once found, it infects the said files using Entry Point Obscuring (EPO) technique. Before proceeding with its payload, it first checks if it is being run by the local system, by checking if the SID starts with "S-1-5-18". It does not proceed if the SID is different.

If infection is successful, it attempts to access several randomly generated servers. It appends strings to the certain domain names.

This file infector arrives as a component bundled with malware/grayware packages. It may be unknowingly downloaded by a user while visiting malicious websites.

It modifies registry entries to enable its automatic execution at every system startup.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 21 Oct 2011

Arrival Details

This file infector arrives as a component bundled with malware/grayware packages.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This file infector drops the following non-malicious files:

  • %Windows%\expl.dat
  • %System%\dllc.dat
  • %System%\svch.dat
  • %System%\winl.dat

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

  • %Application Data%\MicrosoftNT\winserver.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It creates the following folders:

  • %Application Data%\MicrosoftNT

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • 11expl22
  • 11svch22

Autostart Technique

This file infector modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
User Shell Folders
Startup = %Application Data%\MicrosoftNT

(Note: The default value data of the said registry entry is %User Startup%.)

Other System Modifications

This file infector adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Temp
Uses32 = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Temp
TimeGetWork = {dword value}

Other Details

This file infector connects to the following URL(s) to check for an Internet connection:

  • google.com

NOTES:

This file infector searches for the following files in %System%\dllcache and %System%:

  • explorer.exe
  • svchost.exe
  • winlogon.exe

Once found, it infects the said files using Entry Point Obscuring (EPO) technique.

Before proceeding with its payload, the malware first checks if it is being run by the local system, by checking if the SID starts with "S-1-5-18". It does not proceed if the SID is different.

If infection is successful, it attempts to access several randomly generated servers:

  • {15randomchars}.co.cc
  • {15randomchars}.cz.cc
  • {15randomchars}.info
  • {15randomchars}.in

It appends the following strings to the above-mentioned domain names:

  • /m.{BLOCKED}id={id}&pr={value}&os={value_os}&id={processor_info}&ver={value_ver}&ver={value_ver}

  SOLUTION

Minimum Scan Engine: 9.200

Step 1

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

AUTOMATIC REMOVAL INSTRUCTIONS

MANUAL REMOVAL INSTRUCTIONS

Step 3

Restore a file/s that has/have been corrupted/modified by this malware/grayware

To restore system files:

• For Windows 2000:

  1. Insert your Windows 2000 Installation CD in your CD-ROM drive.
  2. Click Start>Run.
  3. In the Open text box, type the following then click OK:
    expand D:\i386\{file to restore}.ex_ %windir%\system32\{file to restore}.exe

    4. (Note: In the example above, D: refers to the CD-ROM drive. If your CD-ROM drive is not D:, please change the letter accordingly. Also, the file to restore is C:\WINNT\System32\explorer.exe.)

• For Windows XP and Windows Server 2003:

  1. Click Start>Run.
  2. In the Open text box, type the following then click OK:
    MSCONFIG

  3. Make sure that the option Normal startup - load all device drivers and services option is selected.

  4. Click the Expand button.
  5. In the dialog box that appears, type the following:

    6. Wherein:
    • File to restore contains the path and file name of the file you wish to restore.
    • Restore from contains the path to the Windows CAB files. This path may vary from machine to machine. It may be in a local drive, in a network drive, or in a CD-ROM. In the local drive, it is usually in C:\WINDOWS\OPTIONS\INSTALL.
    • Save file in contains the path of the file you wish to restore (Do not include the file name).
  6. Click the Expand button.

• For Windows Vista and Windows 7:

  1. Insert your Windows Installation CD or the USB flash drive then restart your computer.
  2. When prompted, press any key to boot from the CD or the USB drive.
  3. Choose your language settings then click Next.
  4. Click Repair your computer.
  5. Select the OS you want to repair then click Next.
  6. On the System Recovery Options menu, click Startup Repair. At this point, Windows automatically begins restoring modified/deleted system file/s.

Step 4

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.

 
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    • From: Startup = %Application Data%\MicrosoftNT
      To: Startup = %User Startup%

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Temp
    • Uses32 = {hex values}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Temp
    • TimeGetWork = {dword value}

Step 6

Search and delete these files

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
%Windows%\expl.dat
%System%\dllc.dat
%System%\svch.dat
%System%\winl.dat

Step 7

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. %Application Data%\MicrosoftNT

Step 8

Scan your computer with your Trend Micro product to clean files detected as PE_BAMITAL.SME If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

RECOMMENDATIONS:

  1. This malware is detected and removed by the latest Trend Micro anti-malware engine and pattern. Always keep pattern files and engines up-to-date. To know more about updating your Trend Micro product’s pattern, please refer to the following Trend Micro support page:

    Note: The steps apply for specific products indicated in the page.
  2. To actively detect and protect your machine, enable real-time scanning of your Trend Micro anti-malware product. Refer to the following Trend Micro support page to know more about enabling real-time scanning in your Trend Micro product:
  3. Enable firewall to protect against threats.
  4. Monitor network connections for any suspicious connection or connectivity.
  5. Avoid downloading software cracks and/or pirated applications.
  6. Be aware of social engineering attacks to be safe.


Did this description help? Tell us how we did.