To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Temp\_K_M_1_HookAndSend.exe' = 'C:\Temp\_K_M_1_HookAndSend.exe:*:Enabled:_K_M_1_HookAndSend'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
Creates and executes the following:
- 'C:\Temp\_K_M_1_OnAdminWorks.exe'
- 'C:\Temp\_K_M_1_HookAndSend.exe'
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: C:\Temp\_K_M_1_HookDll.dll
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtQuerySystemInformation, handler: _K_M_1_FoldHider.sys
- NtQueryDirectoryFile, handler: _K_M_1_FoldHider.sys
Hides the following processes:
- C:\Temp\_K_M_1_HookAndSend.exe