Win32/Bamital [Threat Name] go to Threat
Win32/Bamital.GI [Threat Variant Name]
| Category | trojan |
| Size | 36352 B |
| Aliases | Trojan-Ransom.Win32.Agent.ies (Kaspersky) |
| Atros.ZV (AVG) |
Short description
Win32/Bamital.GI is a trojan that blocks access to the Windows operating system.
Installation
The trojan does not create any copies of itself. The following files may be dropped:
- %temp%\regsvr.dll
The following files are modified:
- %windir%\system32\advapi32.dll
- %windir%\system32\user32.dll
- %windir%\system32\dllcache\advapi32.dll
- %windir%\system32\dllcache\user32.dll
- %windir%\ServicePackFiles\i386\advapi32.dll
- %windir%\ServicePackFiles\i386\user32.dll
- %windir%\SysWow64\advapi32.dll
- %windir%\SysWow64\user32.dll
The modified file contains the original program code along with the program code of the infiltration.
The host file is modified in a way that causes the trojan to be executed prior to running the original code.
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "Nologoff" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableLockWorkstation" = 1
- "DisableFastUserSwitching" = 1
- "DisableTaskMgr" = 1
- [HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "Nologoff" = 1
- [HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableLockWorkstation" = 1
- "DisableFastUserSwitching" = 1
- "DisableTaskMgr" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
- "FirstRun" = 1
The trojan may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
- "DisableSR"
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot]
Other information
The trojan may execute the following commands:
- regsvr32 /s "%temp%\regsvr.dll"
- %temp%\dllhost.exe "%windir%\SysWoW64\regsvr32.exe /s %temp%\regsvr.dll"
- %windir%\system32\cmd.exe /c %windir%\SysWow64\cliconfg.exe
- %windir%\sysnative\cmd.exe /c %windir%\SysWow64\cliconfg.exe
The trojan contains the program code of the following malware:
- Win32/LockScreen.BMA
The trojan can create and run a new thread with its own program code within the following processes:
- svchost.exe
The following programs are terminated:
- taskmgr.exe
- regedit.exe
- msconfig.exe
- cmd.exe
- rstrui.exe
- procexp.exe
- procexp64.exe
The trojan hooks the following Windows APIs:
- ExitProcess (kernel32.dll)
The trojan may delete the following files:
- %windir%\system32\sysprep\shcore.dll
- %windir%\system32\sysprep\cryptbase.dll
- %windir%\sysnative\sysprep\shcore.dll
- %windir%\sysnative\sysprep\cryptbase.dll
- %temp%\dllhost.exe