To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\IXP000.TMP\COPYOF~1.EXE' = '%TEMP%\IXP000.TMP\COPYOF~1.EXE:*:Enabled:ipsec'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks the following features:
- User Account Control (UAC)
Creates and executes the following:
- %TEMP%\IXP000.TMP\COPYOF~1.EXE
Executes the following:
Injects code into
the following system processes:
a large number of user processes.
Searches for windows to
detect analytical utilities:
- ClassName: '' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: ''
- ClassName: '' WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass' WindowName: ''
- ClassName: '' WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'GBDYLLO' WindowName: ''
- ClassName: 'OLLYDBG' WindowName: ''
- ClassName: 'FilemonClass' WindowName: ''
- ClassName: 'pediy06' WindowName: ''
Hides the following processes:
- %TEMP%\IXP000.TMP\COPYOF~1.EXE