To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\Adobenrm.exe' = '<SYSTEM32>\Adobenrm.exe:*:Enabled:Explorer'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '%TEMP%\IXP000.TMP\document.htm .exe'
- '%TEMP%\IXP000.TMP\OLFSETUP.EXE'
Terminates or attempts to terminate
the following user processes:
- Drweb32w.exe
- Drwebupw.exe
- AVP.EXE
- bdss.exe
- bdagent.exe
- ekrn.exe
Hides the following processes:
- %TEMP%\IXP000.TMP\document.htm .exe