To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%CommonProgramFiles%\AdobeARMS.exe' = '%CommonProgramFiles%\AdobeARMS.exe:*:Enabled:AdobeARMS'
To complicate detection of its presence in the operating system,
forces the system hide from view:
Creates and executes the following:
- %CommonProgramFiles%\AdobeARMS.exe
- %CommonProgramFiles%\AdobeARMS.exe 308 "<Full path to virus>"
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'