Win32/Bancteian [Threat Name] go to Threat

Win32/Bancteian.A [Threat Variant Name]

Category trojan
Size 3094038 B
Detection created Dec 24, 2015
Detection database version 12773
Aliases Trojan:Win32/Bancteian.C (Microsoft)
Short description

Win32/Bancteian.A is a trojan which tries to download other malware from the Internet.


When executed, the trojan copies itself into the following location:

  • %windir%\­wininit.exe

The %windir%\wininit.exe file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "userinit.exe, cmd.exe /c start %windir%\­wininit.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Windows" = "%malwarefilepath%"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "ConsentPromptBehaviorAdmin" = 0
    • "PromptOnSecureDesktop" = 0
    • "EnableLUA" = 0
Other information

The trojan contains a list of (2) URLs.

It tries to download a file from the addresses.

The file is stored in the following location:

  • %appdata%\­udsys.exe

The file is then executed. The HTTPS protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.