Technical Information
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Executes the following:
- '<SYSTEM32>\net1.exe' stop security center
- '<SYSTEM32>\net1.exe' stop WinDefend
- '<SYSTEM32>\net.exe' stop WinDefend
- '<SYSTEM32>\netsh.exe' firewall set opmode disable
- '<SYSTEM32>\net.exe' stop security center
Searches for windows to
detect analytical utilities:
- ClassName: 'RegMonClass' WindowName: ''
- ClassName: 'FileMonClass' WindowName: ''
Modifies file system :
Creates the following files:
- %TEMP%\~DF7211.tmp
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''