To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '<SYSTEM32>\avmgsa.exe' = '<SYSTEM32>\avmgsa.exe:*:Enabled:Windows Live'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\avmgsa.exe' = '<SYSTEM32>\avmgsa.exe:*:Enabled:Windows Live'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks the following features:
- System Restore (SR)
- Windows Security Center
Creates and executes the following:
Executes the following:
- '<SYSTEM32>\sc.exe' config NOD32krn start= disabled
- '<SYSTEM32>\sc.exe' stop NOD32krn
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\sc.exe' delete NOD32krn
- '<SYSTEM32>\net1.exe' stop NOD32krn
- '<SYSTEM32>\net.exe' stop NOD32krn
- '<SYSTEM32>\sc.exe' stop avg8wd
- '<SYSTEM32>\net.exe' stop avg8wd
- '<SYSTEM32>\sc.exe' config avg8wd start= disabled
- '<SYSTEM32>\sc.exe' delete avg8wd
- '<SYSTEM32>\net1.exe' stop avg8wd
Injects code into
the following system processes:
Terminates or attempts to terminate
the following user processes:
- GUARD.EXE
- spidernt.exe
- nod32.exe
- zlclient.exe
- ntvdm.exe
- MCAGENT.EXE
- fsav32.exe
- bdss.exe
- bdagent.exe
- 360tray.exe
- fsav.exe
- Drweb32w.exe
- ClamWin.exe
Searches for windows to
detect programs and games:
- ClassName: 'MSBLWindowClass' WindowName: ''
Hides the following processes:
- <Full path to virus>
- <SYSTEM32>\avmgsa.exe