To bypass firewall, removes or modifies the following registry keys
- [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall set allprofiles state off
- '%WINDIR%\syswow64\taskkill.exe' /F /IM RTVscan*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM QBFCService*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM Intuit.QuickBooks.FCS*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM YooBackup*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM YooIT*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM zhudongfangyu*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM stc_raw_agent*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM VSNAPVSS*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM QBCFMonitorService*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM VeeamTransportSvc*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM VeeamDeploymentService*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM VeeamNFSSvc*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM PDVFSService*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM BackupExecVSSProvider*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM BackupExecAgentAccelerator*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM BackupExecRPCService*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM AcrSch2Svc*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM AcronisAgent*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM CASAD2DWebSvc*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM SavRoam*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM CAARCUpdateSvc*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM ccEvtMgr*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM GxCIMgr*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM BackupExecAgentBrowser*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM BackupExecDiveciMediaService*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM BackupExecJobEngine*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM BackupExecManagementService*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM vss*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM sql*
- '%WINDIR%\syswow64\netsh.exe' advfirewall set currentprofile state off
- '%WINDIR%\syswow64\taskkill.exe' /F /IM svc$*
- '%WINDIR%\syswow64\netsh.exe' advfirewall set domainprofile state off
- '%WINDIR%\syswow64\taskkill.exe' /F /IM memtas*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM sophos*
- '%WINDIR%\syswow64\netsh.exe' advfirewall set privateprofile state off
- '%WINDIR%\syswow64\taskkill.exe' /F /IM veeam*
- '%WINDIR%\syswow64\netsh.exe' advfirewall set publicprofile state off
- '%WINDIR%\syswow64\taskkill.exe' /F /IM backup*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM GxVss*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM GxBlr*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM GxFWD*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM GxCVD*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM DefWatch*
- '%WINDIR%\syswow64\taskkill.exe' /F /IM TeamViewer*
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\1189.jpeg
- %HOMEPATH%\desktop\tileimage.bmp
- %HOMEPATH%\desktop\testee.cer
- %HOMEPATH%\desktop\split.avi
- %HOMEPATH%\desktop\sdksampleunprivdeveloper.cer
- %HOMEPATH%\desktop\sdksampleprivdeveloper.cer
- %HOMEPATH%\desktop\region-north-karelia.jpeg
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\join.avi
- %HOMEPATH%\desktop\ituneshelpunavailable.htm
- %HOMEPATH%\desktop\howto-index.html
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\toolbar.bmp
- %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\dial.bmp
- %HOMEPATH%\desktop\dashborder_144.bmp
- %HOMEPATH%\desktop\contoso_1.cer
- %HOMEPATH%\desktop\contoso.cer
- %HOMEPATH%\desktop\coffee.bmp
- %HOMEPATH%\desktop\browse.html
- %HOMEPATH%\desktop\archer.avi
- %HOMEPATH%\desktop\advice_process.htm
- %HOMEPATH%\desktop\508softwareandos.doc
- %HOMEPATH%\desktop\210252809.jpeg
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx
- %HOMEPATH%\desktop\tree_view.htm