Technical Information
To ensure autorun and distribution:
Substitutes the following executable system files:
- <SYSTEM32>\cmd.exe with <SYSTEM32>\cmd.exe.new
- <SYSTEM32>\dllcache\rundll32.exe with <SYSTEM32>\dllcache\rundll32.exe.new
- <SYSTEM32>\rundll32.exe with <SYSTEM32>\rundll32.exe.new
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:ipsec'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
Executes the following:
- <SYSTEM32>\telnet.exe
- <SYSTEM32>\notepad.exe
Injects code into
the following system processes:
- <SYSTEM32>\notepad.exe
a large number of user processes.