To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe' = '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:*:Enabled:ipsec'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '%HOMEPATH%\3md767cofr9g\ucbczxbciruo.exe' odtmvrz
Executes the following:
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe'
Injects code into
the following system processes:
a large number of user processes.
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'