Technical Information
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Security Center
blocks the following features:
- System Restore (SR)
- User Account Control (UAC)
Executes the following:
- '<SYSTEM32>\sc.exe' delete wscsvc
- '<SYSTEM32>\sc.exe' delete wuauserv
- '<SYSTEM32>\sc.exe' delete MsMpSvc
- '<SYSTEM32>\msiexec.exe' /X /passive /quiet /norestart
- '<SYSTEM32>\sc.exe' delete WinDefend
- '<SYSTEM32>\msiexec.exe' /V
Searches for windows to
detect analytical utilities:
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: ''
- ClassName: 'RegMonClass' WindowName: ''
- ClassName: 'FileMonClass' WindowName: ''
