The trojan terminates various security related applications. The file is run-time compressed using UPX.
When executed, the trojan copies itself into the following location:
A string with variable content is used instead of %filename%.
The following file is dropped into the %windir%system32 folder:
Installs the following system drivers (path, name):
- %windir%system32dll.exe, dedede
The following programs are terminated:
The following Registry entries are created:
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options%variable%]
"debugger" = "Svchost.exe"
The %variable% is one of the following strings:
The modified Registry entries will prevent specific files from being executed.