To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\winlogon.exe' = '<SYSTEM32>\winlogon.exe:*:enabled:@shell32.dll,-1'
- <Auxiliary element>
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\SMRTNTKY.exe' = '%TEMP%\SMRTNTKY.exe:*:Enabled:ipsec'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\DEFAULT_NOT_SET.exe'
- '%TEMP%\svchost.exe'
- '%TEMP%\SMRTNTKY.exe'
- '<SYSTEM32>\DEFAULT_NOT_SET.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\at.exe' /delete /yes
- '<SYSTEM32>\at.exe' 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\gphone.exe
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\wh8b3p02.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\vbc1.tmp"
Injects code into
the following system processes:
a large number of user processes.
Restores hooked functions in System Service Descriptor Table (SSDT).
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NofolderOptions' = '00000001'
Sets a new unauthorized home page for Windows Internet Explorer.