Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
Modifies file system
Creates the following files
- C:\chainsavessessiondllnet\9exzyhdojz7uij.bat
- C:\chainsavessessiondllnet\portserver.exe
- C:\chainsavessessiondllnet\9xsjq4iw.vbe
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\wscript.exe' "C:\chainsavessessiondllnet\9XSJQ4IW.vbe"
- 'C:\chainsavessessiondllnet\portserver.exe'
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\chainsavessessiondllnet\9EXZyHDoJz7uij.bat" "
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\chainsavessessiondllnet\9EXZyHDoJz7uij.bat" "' (with hidden window)
