Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Classes\exefile\shell\open\command] '' = '"%ALLUSERSPROFILE%\install\app.exe"%1" %*"'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\ms office.lnk
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Security Center
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\classes\svcserv.exe
- %ALLUSERSPROFILE%\install\app.exe
- %ALLUSERSPROFILE%\install\1.reg
Deletes the following files
- %ALLUSERSPROFILE%\install\1.reg
Miscellaneous
Searches for the following windows
- ClassName: 'RegEdit_RegEdit' WindowName: ''
Creates and executes the following
- '%ALLUSERSPROFILE%\install\app.exe'
- '%WINDIR%\syswow64\sc.exe' delete ccEvtMgr' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete DefWatch' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "Symantec AntiVirus"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "avast! Mail Scanne"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "avast! Antivirus"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete NSPService' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "Norman ZANDA"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete nvcoas' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete scheduler' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete SNDSrvc' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Npsvc32' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "avast! Web Scanner"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete NSPUpdateService' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Norman' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "F-Secure Gatekeeper Handler Starter"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete FSORSPClient' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete FSAUA' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete FSGKHS' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete NPROSECSVC' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete NSESVC' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete NiG' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete SharedAccess' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete SOLOSCAN' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Vba32Ldr' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete VACompManService' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete AntiVirService' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete AntiVirWebService' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete a2free' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete InoRT' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete SAVSService' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete GuardX' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete NOD32Krn' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete vsmon' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete nvoy' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete aswUpdSv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete wscsvc' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete wuauserv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Vba32PP3' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Vba32ECM' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete TmProxy' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete SfCtlCom' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete ccSetMgr' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete VACompMan' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Vba32ifs' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete SPBBCSvc' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete TMBMServer' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete NPFSvc32' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete sdCoreService' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete AVUpdate' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete AVTasks2' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete PAVFNSVR' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete PSIMSVC' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete PAVSRV' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete TPSrv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete PskSvcRetail' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "V3 Service"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete avg9mc' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete avg9wd' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete ABMainSV' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete AVBackup' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Gwmsrv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "Panda Software Controller"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete PavPrSrv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete a2AntiMalware' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Klnagent' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete AVP' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete kavsvc' (with hidden window)
- '%WINDIR%\syswow64\regedit.exe' /s "%ALLUSERSPROFILE%\install\1.reg"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete ArcaRemoteService' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete ekrn' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete acssrv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete XCOMM' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete FSMA' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete FSDFWD' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete FPAVServer' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "ewido security suite guard"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "ewido security suite control"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "SAVService"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "SAVAdminService"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "Sophos AutoUpdate Service"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "Sophos Client Firewall Manager"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete eLoggerSvc6' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "Sophos Client Firewall"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete DrWebEngine' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete cmdAgent' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete EhttpSrv' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete Antivirus' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete DrWebFwSvc' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete "Browser Defender Update Service"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete VSSERV' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete bdss' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete LIVESRV' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete sdAuxService' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' delete PSHost' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\regedit.exe' /s "%ALLUSERSPROFILE%\install\1.reg"
- '%WINDIR%\syswow64\sc.exe' delete ccEvtMgr
- '%WINDIR%\syswow64\sc.exe' delete DefWatch
- '%WINDIR%\syswow64\sc.exe' delete "Symantec AntiVirus"
- '%WINDIR%\syswow64\sc.exe' delete "avast! Mail Scanne"
- '%WINDIR%\syswow64\sc.exe' delete "avast! Antivirus"
- '%WINDIR%\syswow64\sc.exe' delete NSPService
- '%WINDIR%\syswow64\sc.exe' delete "Norman ZANDA"
- '%WINDIR%\syswow64\sc.exe' delete nvcoas
- '%WINDIR%\syswow64\sc.exe' delete scheduler
- '%WINDIR%\syswow64\sc.exe' delete NiG
- '%WINDIR%\syswow64\sc.exe' delete SPBBCSvc
- '%WINDIR%\syswow64\sc.exe' delete "avast! Web Scanner"
- '%WINDIR%\syswow64\sc.exe' delete NSPUpdateService
- '%WINDIR%\syswow64\sc.exe' delete Norman
- '%WINDIR%\syswow64\sc.exe' delete "F-Secure Gatekeeper Handler Starter"
- '%WINDIR%\syswow64\sc.exe' delete FSORSPClient
- '%WINDIR%\syswow64\sc.exe' delete FSAUA
- '%WINDIR%\syswow64\sc.exe' delete FSGKHS
- '%WINDIR%\syswow64\sc.exe' delete NPROSECSVC
- '%WINDIR%\syswow64\sc.exe' delete Npsvc32
- '%WINDIR%\syswow64\sc.exe' delete "Sophos Client Firewall"
- '%WINDIR%\syswow64\sc.exe' delete TMBMServer
- '%WINDIR%\syswow64\sc.exe' delete VACompManService
- '%WINDIR%\syswow64\sc.exe' delete AntiVirService
- '%WINDIR%\syswow64\sc.exe' delete AntiVirWebService
- '%WINDIR%\syswow64\sc.exe' delete a2free
- '%WINDIR%\syswow64\sc.exe' delete InoRT
- '%WINDIR%\syswow64\sc.exe' delete SAVSService
- '%WINDIR%\syswow64\sc.exe' delete GuardX
- '%WINDIR%\syswow64\sc.exe' delete NOD32Krn
- '%WINDIR%\syswow64\sc.exe' delete vsmon
- '%WINDIR%\syswow64\sc.exe' delete NSESVC
- '%WINDIR%\syswow64\sc.exe' delete SNDSrvc
- '%WINDIR%\syswow64\sc.exe' delete wscsvc
- '%WINDIR%\syswow64\sc.exe' delete wuauserv
- '%WINDIR%\syswow64\sc.exe' delete Vba32PP3
- '%WINDIR%\syswow64\sc.exe' delete Vba32ECM
- '%WINDIR%\syswow64\sc.exe' delete TmProxy
- '%WINDIR%\syswow64\sc.exe' delete SfCtlCom
- '%WINDIR%\syswow64\sc.exe' delete ccSetMgr
- '%WINDIR%\syswow64\sc.exe' delete VACompMan
- '%WINDIR%\syswow64\sc.exe' delete Vba32ifs
- '%WINDIR%\syswow64\sc.exe' delete SharedAccess
- '%WINDIR%\syswow64\sc.exe' delete Vba32Ldr
- '%WINDIR%\syswow64\sc.exe' delete nvoy
- '%WINDIR%\syswow64\sc.exe' delete NPFSvc32
- '%WINDIR%\syswow64\sc.exe' delete eLoggerSvc6
- '%WINDIR%\syswow64\sc.exe' delete ABMainSV
- '%WINDIR%\syswow64\sc.exe' delete AVUpdate
- '%WINDIR%\syswow64\sc.exe' delete AVTasks2
- '%WINDIR%\syswow64\sc.exe' delete PAVFNSVR
- '%WINDIR%\syswow64\sc.exe' delete PSIMSVC
- '%WINDIR%\syswow64\sc.exe' delete PAVSRV
- '%WINDIR%\syswow64\sc.exe' delete TPSrv
- '%WINDIR%\syswow64\sc.exe' delete PskSvcRetail
- '%WINDIR%\syswow64\sc.exe' delete "V3 Service"
- '%WINDIR%\syswow64\sc.exe' delete SOLOSCAN
- '%WINDIR%\syswow64\sc.exe' delete sdAuxService
- '%WINDIR%\syswow64\sc.exe' delete ArcaRemoteService
- '%WINDIR%\syswow64\sc.exe' delete AVBackup
- '%WINDIR%\syswow64\sc.exe' delete Gwmsrv
- '%WINDIR%\syswow64\sc.exe' delete "Panda Software Controller"
- '%WINDIR%\syswow64\sc.exe' delete PavPrSrv
- '%WINDIR%\syswow64\sc.exe' delete a2AntiMalware
- '%WINDIR%\syswow64\sc.exe' delete Klnagent
- '%WINDIR%\syswow64\sc.exe' delete AVP
- '%WINDIR%\syswow64\sc.exe' delete kavsvc
- '%WINDIR%\syswow64\sc.exe' delete avg9mc
- '%WINDIR%\syswow64\sc.exe' delete aswUpdSv
- '%WINDIR%\syswow64\sc.exe' delete sdCoreService
- '%WINDIR%\syswow64\sc.exe' delete bdss
- '%WINDIR%\syswow64\sc.exe' delete XCOMM
- '%WINDIR%\syswow64\sc.exe' delete acssrv
- '%WINDIR%\syswow64\sc.exe' delete FSMA
- '%WINDIR%\syswow64\sc.exe' delete FSDFWD
- '%WINDIR%\syswow64\sc.exe' delete FPAVServer
- '%WINDIR%\syswow64\sc.exe' delete "ewido security suite guard"
- '%WINDIR%\syswow64\sc.exe' delete "ewido security suite control"
- '%WINDIR%\syswow64\sc.exe' delete "SAVService"
- '%WINDIR%\syswow64\sc.exe' delete "SAVAdminService"
- '%WINDIR%\syswow64\sc.exe' delete LIVESRV
- '%WINDIR%\syswow64\sc.exe' delete "Sophos AutoUpdate Service"
- '%WINDIR%\syswow64\sc.exe' delete avg9wd
- '%WINDIR%\syswow64\sc.exe' delete ekrn
- '%WINDIR%\syswow64\sc.exe' delete DrWebEngine
- '%WINDIR%\syswow64\sc.exe' delete cmdAgent
- '%WINDIR%\syswow64\sc.exe' delete EhttpSrv
- '%WINDIR%\syswow64\sc.exe' delete Antivirus
- '%WINDIR%\syswow64\sc.exe' delete DrWebFwSvc
- '%WINDIR%\syswow64\sc.exe' delete "Browser Defender Update Service"
- '%WINDIR%\syswow64\sc.exe' delete VSSERV
- '%WINDIR%\syswow64\sc.exe' delete "Sophos Client Firewall Manager"
- '%WINDIR%\syswow64\sc.exe' delete PSHost
