To complicate detection of its presence in the operating system,
forces the system hide from view:
Executes the following:
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE'
- '<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\ieban0.dll
Injects code into
the following system processes:
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: <SYSTEM32>\cyban0.dll
Registers BHO:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70F6E582-8FF4-4082-829E-C172131DE31A}']
Searches for windows to
bypass different anti-viruses:
- ClassName: 'AVP.Product_Notification' WindowName: ''
- ClassName: 'AVP.AlertDialog' WindowName: ''
Restores hooked functions in System Service Descriptor Table (SSDT).