To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\winlogon.exe' = '<SYSTEM32>\winlogon.exe:*:enabled:@shell32.dll,-1'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Executes the following:
- '<SYSTEM32>\logonui.exe' /status /shutdown
- '<SYSTEM32>\at.exe' 22:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\logoneui.exe
- '<SYSTEM32>\at.exe' /delete /yes
Injects code into
the following system processes:
Terminates or attempts to terminate
the following system processes:
the following user processes:
Restores hooked functions in System Service Descriptor Table (SSDT).
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NofolderOptions' = '00000001'
Sets a new unauthorized home page for Windows Internet Explorer.
Attempts to shut down the Windows operating system.