Threat Database Adware BatBitRst Adware

BatBitRst Adware

By GoldSparrow in Adware

Threat Scorecard

Ranking: 9,729
Threat Level: 20 % (Normal)
Infected Computers: 13
First Seen: September 8, 2023
Last Seen: September 20, 2023
OS(es) Affected: Windows

The BatBitRst program is categorized as adware due to its activity on compromised computers. Computer security analysts reported the discovery of BatBitRst adware in the last week of December 2017. The BatBitRst adware appears to be based on the FileTour adware that merged in April 2016. Unlike the original adware, BatBitRst is programmed to use a browser extension and a standalone executable to facilitate its operations. The BatBitRst adware is known to land on computers via free software packages, and it may be promoted on questionable browser extensions platforms.

Users had reported downloading a file called 'setupft.exe' shortly before the BatBitRst adware began causing trouble. As mentioned above, the BatBitRst adware installs a browser extension called 'ScriptGate' into Google Chrome. The ScriptGate extension has the ID:eeocknbjpmfgaclencnfjfkklmmfmiie (code for archival and research purposes: crx.dam.io/ext/eeocknbjpmfgaclencnfjfkklmmfmiie.html) and it was removed from the Chrome Web Store soon after it was confirmed that it is utilized by adware. The primary executable for the BatBitRst adware is packed as a batch file, which is added to the list of startup programs in Windows. The following files are used by BatBitRst:

C:\Program Files (x86)\KhYa.bat
C:\Users\username\AppData\Roaming\UasT.bat
C:\Program Files (x86)\iwiVOmfq.exe

Compromised users may find the following directories on the primary system disk:

C:\WINDOWS\System32\Tasks\OUtyCVNqAaOi
C:\WINDOWS\System32\Tasks\dzopercomjhar
C:\WINDOWS\System32\Tasks\guVuxYChKd
C:\WINDOWS\System32\Tasks\uFOImaUXBQltA

Lab tests showed that the BatBitRst adware connects to domains like liflingen[.]info and pulls commands on what type of ads it should inject on pages. The ScriptGate extension is known to substitute the native ads on pages and load commercials facilitated by BatBitRst. Also, the BatBitRst adware is reported to change the default search in Google Chrome to h[tt]p://go.mail.ru/distib/ep/?q={search terms}&fr=ntg&product_id=%7B3CAEDA96-5174-4654-B4DF-3D12B91DB174%7D&gp=811142 and set up a new tab page that shows in the Omnibox as 'chrome-extension://lfgkmlldjpjacgicdjmmgcboihbghpal/visual-bookmarks.html'. The BatBitRst Adware may change the home page in Mozilla Firefox to h[tt]p://mail[.]ru/cnt/10445?gp=811141

The ads generated via the ScrptGate extension and the BatBitRst adware might redirect Web surfers to phishing pages and cyber threats. It is recommended to eliminate the BatBitRst adware and associated browsers with the help of a credible anti-malware scanner. AV engines may use detection names like Adware.StartPage.BatBitRst, Adware.FileTour.BatBitRst and Adware.ScriptGate.BatBitRst to notify users their systems are infected.

URLs

BatBitRst Adware may call the following URLs:

evrbtd.com

Trending

Most Viewed

Loading...