Bamital trojan infects Winlogon.exe and Explorer.exe

Currently we are seeing a massive increase of Winlogon.exe and Explorer.exe infections caused by a new variant of the Bamital trojan.

The Bamital trojan is hooking the CreateProcessInternalW function in Explorer.exe to monitor when a web browser process is being started. When a web browser (like Internet Explorer) is started, several Winsock functions are hooked for monitoring internet traffic and changing web search results.

Removing the infection is currently proving to be difficult as the infection is each time differently. Also deleting the files is no option as they are a vital part of the operating system.

Hitman Pro build 109 is currently replacing the infected Explorer.exe with a clean Explorer.exe file. But since the Winlogon.exe infection remains, the Explorer.exe gets infected again upon reboot.

A new build of Hitman Pro will be released to remediate Winlogon.exe.

One Response to Bamital trojan infects Winlogon.exe and Explorer.exe

  1. […] / Drooptroop remediation In my previous post I talked about a new variant of the Bamital trojan that is infecting explorer.exe, winlogon.exe and […]

%d bloggers like this: