Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Security Center
Modifies file system
Creates the following files
- C:\a.bat
- %TEMP%\1.reg
- %WINDIR%\syswow64\nod64.exe
Sets the 'hidden' attribute to the following files
- %WINDIR%\syswow64\nod64.exe
Deletes the following files
- %TEMP%\1.reg
Substitutes the following files
- C:\a.bat
- %TEMP%\1.reg
Miscellaneous
Searches for the following windows
- ClassName: 'RegEdit_RegEdit' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\nod64.exe' 424 "<Full path to file>"
- '%WINDIR%\syswow64\nod64.exe' 420 "%WINDIR%\SysWOW64\nod64.exe"
- '%WINDIR%\syswow64\nod64.exe' 444 "%WINDIR%\SysWOW64\nod64.exe"
- '%WINDIR%\syswow64\nod64.exe' 428 "%WINDIR%\SysWOW64\nod64.exe"
- '%WINDIR%\syswow64\nod64.exe' 432 "%WINDIR%\SysWOW64\nod64.exe"
- '%WINDIR%\syswow64\nod64.exe' 448 "%WINDIR%\SysWOW64\nod64.exe"
- '%WINDIR%\syswow64\nod64.exe' 436 "%WINDIR%\SysWOW64\nod64.exe"
- '%WINDIR%\syswow64\nod64.exe' 440 "%WINDIR%\SysWOW64\nod64.exe"
- '%WINDIR%\syswow64\nod64.exe' 436 "%WINDIR%\SysWOW64\nod64.exe"' (with hidden window)
- '%WINDIR%\syswow64\nod64.exe' 444 "%WINDIR%\SysWOW64\nod64.exe"' (with hidden window)
- '%WINDIR%\syswow64\nod64.exe' 440 "%WINDIR%\SysWOW64\nod64.exe"' (with hidden window)
- '%WINDIR%\syswow64\nod64.exe' 424 "<Full path to file>"' (with hidden window)
- '%WINDIR%\syswow64\nod64.exe' 428 "%WINDIR%\SysWOW64\nod64.exe"' (with hidden window)
- '%WINDIR%\syswow64\nod64.exe' 420 "%WINDIR%\SysWOW64\nod64.exe"' (with hidden window)
- '%WINDIR%\syswow64\nod64.exe' 432 "%WINDIR%\SysWOW64\nod64.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c c:\a.bat' (with hidden window)
- '%WINDIR%\syswow64\nod64.exe' 448 "%WINDIR%\SysWOW64\nod64.exe"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c c:\a.bat
- '%WINDIR%\syswow64\regedit.exe' /S %TEMP%\1.reg
