BatBitRst Adware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 9,729 |
Threat Level: | 20 % (Normal) |
Infected Computers: | 13 |
First Seen: | September 8, 2023 |
Last Seen: | September 20, 2023 |
OS(es) Affected: | Windows |
The BatBitRst program is categorized as adware due to its activity on compromised computers. Computer security analysts reported the discovery of BatBitRst adware in the last week of December 2017. The BatBitRst adware appears to be based on the FileTour adware that merged in April 2016. Unlike the original adware, BatBitRst is programmed to use a browser extension and a standalone executable to facilitate its operations. The BatBitRst adware is known to land on computers via free software packages, and it may be promoted on questionable browser extensions platforms.
Users had reported downloading a file called 'setupft.exe' shortly before the BatBitRst adware began causing trouble. As mentioned above, the BatBitRst adware installs a browser extension called 'ScriptGate' into Google Chrome. The ScriptGate extension has the ID:eeocknbjpmfgaclencnfjfkklmmfmiie (code for archival and research purposes: crx.dam.io/ext/eeocknbjpmfgaclencnfjfkklmmfmiie.html) and it was removed from the Chrome Web Store soon after it was confirmed that it is utilized by adware. The primary executable for the BatBitRst adware is packed as a batch file, which is added to the list of startup programs in Windows. The following files are used by BatBitRst:
C:\Program Files (x86)\KhYa.bat
C:\Users\username\AppData\Roaming\UasT.bat
C:\Program Files (x86)\iwiVOmfq.exe
Compromised users may find the following directories on the primary system disk:
C:\WINDOWS\System32\Tasks\OUtyCVNqAaOi
C:\WINDOWS\System32\Tasks\dzopercomjhar
C:\WINDOWS\System32\Tasks\guVuxYChKd
C:\WINDOWS\System32\Tasks\uFOImaUXBQltA
Lab tests showed that the BatBitRst adware connects to domains like liflingen[.]info and pulls commands on what type of ads it should inject on pages. The ScriptGate extension is known to substitute the native ads on pages and load commercials facilitated by BatBitRst. Also, the BatBitRst adware is reported to change the default search in Google Chrome to h[tt]p://go.mail.ru/distib/ep/?q={search terms}&fr=ntg&product_id=%7B3CAEDA96-5174-4654-B4DF-3D12B91DB174%7D&gp=811142 and set up a new tab page that shows in the Omnibox as 'chrome-extension://lfgkmlldjpjacgicdjmmgcboihbghpal/visual-bookmarks.html'. The BatBitRst Adware may change the home page in Mozilla Firefox to h[tt]p://mail[.]ru/cnt/10445?gp=811141
The ads generated via the ScrptGate extension and the BatBitRst adware might redirect Web surfers to phishing pages and cyber threats. It is recommended to eliminate the BatBitRst adware and associated browsers with the help of a credible anti-malware scanner. AV engines may use detection names like Adware.StartPage.BatBitRst, Adware.FileTour.BatBitRst and Adware.ScriptGate.BatBitRst to notify users their systems are infected.
URLs
BatBitRst Adware may call the following URLs:
evrbtd.com |