PUA.BAT.ServicePermit.B

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

File Size: 5,098 bytes

File Type: BAT

Memory Resident: No

Initial Samples Received Date: 06 Aug 2024

Payload: Modifies system registry

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application adds the following processes:

%System%\rundll32.exe inetcpl.cpl ResetIEtoDefaults
%System%\ieunatt.exe specialize
reg add "HKCU\Software\Microsoft\INTERNET EXPLORER\MINIE" /v "ShowStatusBar" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\INTERNET EXPLORER\MINIE" /v "LinksBandEnabled" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\INTERNET EXPLORER\MINIE" /v "AlwaysShowMenus" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoDetect /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /t REG_SZ /d "http://pro{BLOCKED}g.sbi.co.in/pro{BLOCKED}g.pac" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\i""svr1" /v https /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}s.com" /v http /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}anktimes.in" /v https /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}pramaan.gov.in" /v https /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}.{BLOCKED}{BLOCKED}.*" /v ftp /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}x.sbi.co.in" /v https /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}learning.sbi.co.in" /v https /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}b.core" /v http /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}uch.co.in" /v https /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}line.com" /v https /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{BLOCKED}b.camsonline.com" /v https /t REG_DWORD /d 2 /f
reg add "HKCU\Software\Microsoft\INTERNET EXPLORER\New Windows" /v "PopupMgr" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Privacy" /v ClearBrowsingHistoryOnExit /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Privacy" /v CleanForms /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Privacy" /v CleanDownloadHistory /t REG_DWORD /d 1 /f
Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v SyncMode5 /t REG_DWORD /d 3 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation" /v MSCompatibilityMode /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation" /v AllSitesCompatibilityMode /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation" /v IntranetCompatibilityMode /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1406" /t REG_DWORD /d 0 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v "1406" /t REG_DWORD /d 0 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "1406" /t REG_DWORD /d 0 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1609" /t REG_DWORD /d 0 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" /v "1609" /t REG_DWORD /d 0 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "1609" /t REG_DWORD /d 0 /f

Other System Modifications

This Potentially Unwanted Application adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
INTERNET EXPLORER\MINIE
ShowStatusBar = 1

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
INTERNET EXPLORER\MINIE
LinksBandEnabled = 1

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
INTERNET EXPLORER\MINIE
AlwaysShowMenus = 1

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
AutoDetect = 1

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\i""svr1
https = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}s.com
http = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
AutoConfigURL = http://pro{BLOCKED}g.sbi.co.in/pro{BLOCKED}g.pac

(Note: The default value data of the said registry entry is {Empty String}.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}anktimes.in
https = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}pramaan.gov.in
https = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}.{BLOCKED}.{BLOCKED}.*
ftp = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}x.sbi.co.in
https = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}learning.sbi.co.in
https = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}b.core
http = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}uch.co.in
https = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}line.com
https = 2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}b.camsonline.com
https = 2

HKEY_CURRENT_USER\Software\Microsoft\
INTERNET EXPLORER\New Windows
PopupMgr = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy
ClearBrowsingHistoryOnExit = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy
CleanForms = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Privacy
CleanDownloadHistory = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
SyncMode5 = 3

(Note: The default value data of the said registry entry is 4.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\BrowserEmulation
MSCompatibilityMode = 1

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\BrowserEmulation
AllSitesCompatibilityMode = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\BrowserEmulation
IntranetCompatibilityMode = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
1406 = 0

(Note: The default value data of the said registry entry is 3.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
1406 = 0

(Note: The default value data of the said registry entry is 3.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1406 = 0

(Note: The default value data of the said registry entry is 3.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
1609 = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
1609 = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1609 = 0

Other Details

This Potentially Unwanted Application adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\i""svr1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}s.com

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}anktimes.in

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains{BLOCKED}pramaan.gov.in

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}.{BLOCKED}.{BLOCKED}.*

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}x.sbi.co.in

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}learning.sbi.co.in

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}b.core

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}uch.co.in

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}line.com

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}b.camsonline.com

It does the following:

It resets the settings for Microsoft Internet Explorer to its default.

Minimum Scan Engine: 9.800

SSAPI PATTERN File: 2.751.00

SSAPI PATTERN Date: 08 Aug 2024

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- i""svr1
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}s.com
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}anktimes.in
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}pramaan.gov.in
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}.{BLOCKED}.{BLOCKED}.*
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}x.sbi.co.in
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}learning.sbi.co.in
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}b.core
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}uch.co.in
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}line.com
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
- {BLOCKED}b.camsonline.com

Step 4

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- AutoConfigURL = {Empty String}
In HKEY_CURRENT_USER\Software\Microsoft\INTERNET EXPLORER\New Windows
- PopupMgr = 1
In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
- ClearBrowsingHistoryOnExit = 0
In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
- CleanForms = 0
In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
- CleanDownloadHistory = 0
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- SyncMode5 = 4
In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
- AllSitesCompatibilityMode = 0
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1406 = 3
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1406 = 3
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 1406 = 3

Step 5

Scan your computer with your Trend Micro product to delete files detected as PUA.BAT.ServicePermit.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters