Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AdobeARMS' = '%CommonProgramFiles%\AdobeARMS.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'patches' = '1'
Infects the following executable system files:
- <DRIVERS>\tcpip.sys
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%CommonProgramFiles%\AdobeARMS.exe' = '%CommonProgramFiles%\AdobeARMS.exe:*:Enabled:AdobeARMS'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Creates and executes the following:
- '%CommonProgramFiles%\AdobeARMS.exe'
- '%CommonProgramFiles%\AdobeARMS.exe' 308 "<Full path to virus>"
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
Modifies file system :
Creates the following files:
- %CommonProgramFiles%\AdobeARMS.exe
Sets the 'hidden' attribute to the following files:
- %CommonProgramFiles%\AdobeARMS.exe
Network activity:
Connects to:
- 'ol####ne.mine.nu':7562
UDP:
- DNS ASK ol####ne.mine.nu