Win32/Bamital [Threat Name] go to Threat

Win32/Bamital.GI [Threat Variant Name]

Category trojan
Size 36352 B
Aliases Trojan-Ransom.Win32.Agent.ies (Kaspersky)
  Atros.ZV (AVG)
Short description

Win32/Bamital.GI is a trojan that blocks access to the Windows operating system.

Installation

The trojan does not create any copies of itself. The following files may be dropped:

  • %temp%\­regsvr.dll

The following files are modified:

  • %windir%\­system32\­advapi32.dll
  • %windir%\­system32\­user32.dll
  • %windir%\­system32\­dllcache\­advapi32.dll
  • %windir%\­system32\­dllcache\­user32.dll
  • %windir%\­ServicePackFiles\­i386\­advapi32.dll
  • %windir%\­ServicePackFiles\­i386\­user32.dll
  • %windir%\­SysWow64\­advapi32.dll
  • %windir%\­SysWow64\­user32.dll

The modified file contains the original program code along with the program code of the infiltration.


The host file is modified in a way that causes the trojan to be executed prior to running the original code.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "Nologoff" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableLockWorkstation" = 1
    • "DisableFastUserSwitching" = 1
    • "DisableTaskMgr" = 1
  • [HKEY_USERS\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "Nologoff" = 1
  • [HKEY_USERS\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableLockWorkstation" = 1
    • "DisableFastUserSwitching" = 1
    • "DisableTaskMgr" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­sr\­Parameters]
    • "FirstRun" = 1

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­SafeBoot]
Other information

The trojan may execute the following commands:

  • regsvr32 /s "%temp%\­regsvr.dll"
  • %temp%\­dllhost.exe "%windir%\­SysWoW64\­regsvr32.exe /s %temp%\­regsvr.dll"
  • %windir%\­system32\­cmd.exe /c %windir%\­SysWow64\­cliconfg.exe
  • %windir%\­sysnative\­cmd.exe /c %windir%\­SysWow64\­cliconfg.exe

The trojan contains the program code of the following malware:

  • Win32/LockScreen.BMA

The trojan can create and run a new thread with its own program code within the following processes:

  • svchost.exe

The following programs are terminated:

  • taskmgr.exe
  • regedit.exe
  • msconfig.exe
  • cmd.exe
  • rstrui.exe
  • procexp.exe
  • procexp64.exe

The trojan hooks the following Windows APIs:

  • ExitProcess (kernel32.dll)

The trojan may delete the following files:

  • %windir%\­system32\­sysprep\­shcore.dll
  • %windir%\­system32\­sysprep\­cryptbase.dll
  • %windir%\­sysnative\­sysprep\­shcore.dll
  • %windir%\­sysnative\­sysprep\­cryptbase.dll
  • %temp%\­dllhost.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.