To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:explorer'
Injects code into
the following system processes:
the following user processes:
Terminates or attempts to terminate
the following user processes:
- zapro.exe
- zlclient.exe
- mpftray.exe
- outpost.exe
Searches for registry branches where third party applications store passwords:
- [\REGISTRY\USER\S-1-5-20_Classes\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [\REGISTRY\USER\S-1-5-20\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [\REGISTRY\USER\S-1-5-18\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [<HKCU>_Classes\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [<HKCU>\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [<HKLM>\Software\Miranda]
- [\REGISTRY\USER\S-1-5-19_Classes\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [\REGISTRY\USER\S-1-5-19\SOFTWARE\Mirabilis\ICQ\NewOwners]
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtOpenThread, handler: semd64.sys
- NtQueryDirectoryFile, handler: semd64.sys
- NtQuerySystemInformation, handler: semd64.sys
- NtCreateProcess, handler: semd64.sys
- NtCreateProcessEx, handler: semd64.sys
- NtOpenProcess, handler: semd64.sys
Hides the following processes: