PUA.BAT.ServicePermit.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Este malware no tiene ninguna rutina de propagación.

Este malware no tiene ninguna rutina de puerta trasera.

Este malware no tiene ninguna capacidad para robar información.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega los procesos siguientes:

• sc sdset scanplus D:(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPLO;;;S-1-5-32-544)(D;;DCSD;;;S-1-5-32-5444)S:(AU;FA;CCLCSWRPLOCRRCWDWO;;;WD)
• sc sdset scanpluspm D:(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPLO;;;S-1-5-32-544)(D;;DCSD;;;S-1-5-32-5444)S:(AU;FA;CCLCSWRPLOCRRCWDWO;;;WD)
• sc sdset secureitrservice D:(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPLO;;;S-1-5-32-544)(D;;DCSD;;;S-1-5-32-5444)S:(AU;FA;CCLCSWRPLOCRRCWDWO;;;WD)
• sc sdset tba D:(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPLO;;;S-1-5-32-544)(D;;DCSD;;;S-1-5-32-5444)S:(AU;FA;CCLCSWRPLOCRRCWDWO;;;WD)
• cmd /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWOrD /d 1 /f
• cmd /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWOrD /d 1 /f
• cmd /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWOrD /d 1 /f
• cmd /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWOrD /d 2 /f
• cmd /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableRegistryTools" /t REG_DWOrD /d 1 /f

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoControlPanel = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\System
DisableCMD = 2

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\System
DisableRegistryTools = 1

Propagación

Este malware no tiene ninguna rutina de propagación.

Rutina de puerta trasera

Este malware no tiene ninguna rutina de puerta trasera.

Robo de información

Este malware no tiene ninguna capacidad para robar información.

Otros detalles

Hace lo siguiente:

• It sets the security descriptor for the services scanplus, scanpluspm, secureitrservice, and tba to include specific permissions for the following user groups:
  • DACL Settings:
    • Local System → Granted full control with specific permissions.
    • Built-in Administrators → Granted full control with additional write permissions.
    • Interactive Users → Granted specific permissions but with some limitations compared to System.
    • Service Users → Similar permissions to Interactive Users.
    • Administrators Group → Allowed read property and list object permissions.
    • Specific SID (S-1-5-32-5444) → Denied delete child and delete permissions
  • SACL Settings:
    • Audits all access with full permissions for Everyone.
• It disables access to the Control Panel, Task Manager, Command Prompt, and Registry Editor.
• It disables the "Run" command.