To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\explorer.exe' = '%WINDIR%\explorer.exe:*:Enabled:Explorer'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%WINDIR%\explorer.exe' = '%WINDIR%\explorer.exe:*:Enabled:Explorer'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
blocks the following features:
- System File Checker (SFC)
- Windows Security Center
Creates and executes the following:
Executes the following:
- <SYSTEM32>\msg.exe * "Este instalador no es compatible con su sistema operativo."
- <SYSTEM32>\ping.exe -n 3 localhost
- %WINDIR%\regedit.exe /S "%TEMP%\genuine.reg"
- <SYSTEM32>\wscript.exe "%TEMP%\Genuine.vbs"
- <SYSTEM32>\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %TEMP%\RarSFX0\on.inf
- <SYSTEM32>\runonce.exe -r
- <SYSTEM32>\grpconv.exe -o
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\Microsoft\MSNMessenger]
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFind' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'