When the virus is executed, it copies itself as the following file:
%System%\drivers\[RANDOM FILE NAME].sys
The virus creates the following mutex so only one instance of the virus is running:
Op1mutx9
It then creates the following registry subkeys:
- HKEY_CURRENT_USER\Software\[USER NAME]914
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
It then creates the following registry entry so that it bypasses the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"
It modifies the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
The virus also deletes entries in the following registry subkeys:
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
It then registers itself as a new service with the following characteristics:
Service Name: WMI_MFC_TPSHOKER_80
Display Name: WMI_MFC_TPSHOKER_80
Startup Type: Automatic
It then deletes itself.
For futher info Read More
No comments:
Post a Comment