Short description
The trojan terminates various security related applications. The file is run-time compressed using UPX.
Installation
When executed, the trojan copies itself into the following location:
A string with variable content is used instead of %filename%.
The following file is dropped into the %windir%system32 folder:
Installs the following system drivers (path, name):
- %windir%system32dll.exe, dedede
Other information
The following programs are terminated:
- 360tray.exe
- avp.exe
- ccenter.exe
- egui.exe
- ekrn.exe
- ravtask.exe
- 360tray.exe
- avp.exe
- ccenter.exe
- egui.exe
- ekrn.exe
- ravtask.exe
- rawmond.exe
- rstray.exe
- safeboxtray.exe
The following Registry entries are created:
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options%variable%]
"debugger" = "Svchost.exe"
The %variable% is one of the following strings:
- 360safe.exe
- 360safebox.exe
- ast.exe
- avp.exe
- CCenter.exe
- ekrn.exe
- 360safe.exe
- 360safebox.exe
- ast.exe
- avp.exe
- CCenter.exe
- ekrn.exe
- guard.exe
- kasmain.exe
- KAVPFW.exe
- kpfw32.exe
- kpfwsvc.exe
- kvmonxp.exe
- kvprescan.exe
- kvsrvxp.exe
- kwatch.exe
- McShield.exe
- Rav.exe
- RavMon.exe
- RavMonD.exe
- RavStub.exe
- RavTask.exe
- rfwProxy.exe
- rfwsrv.exe
- rfwstub.exe
- wmain.exe
The modified Registry entries will prevent specific files from being executed.
