Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'UIHost' = 'logonui.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:sys'
Executes the following:
- <SYSTEM32>\netsh.exe firewall add allowedprogram <Full path to virus> sys enable
- <SYSTEM32>\wscript.exe -b %TEMP%\1.tmp
- <SYSTEM32>\reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
- <SYSTEM32>\reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
- <SYSTEM32>\reg.exe delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
Terminates or attempts to terminate
a large number of user processes.
Modifies file system :
Creates the following files:
- %TEMP%\1.tmp
Deletes the following files:
- %TEMP%\1.tmp
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''