To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:ipsec'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:ipsec'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
Executes the following:
- <SYSTEM32>\rundll32.exe <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %APPDATA%\1348262549_milkandoreaos_260148.jpeg
Injects code into
the following system processes:
a large number of user processes.
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\Paltalk]
- [<HKCU>\Software\Google\Google Talk\Accounts]
Searches for windows to
detect analytical utilities:
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: ''
detect programs and games:
- ClassName: 'gdkWindowToplevel' WindowName: ''