Subscribe
When the malware starts it creates files in the following locations:
%windir%\system32\debug.exe
%windir%\system32\drivers\beep.sys
random named files such as c:\000F443C\1000516
The file beep.sys is registered as a windows service; the following registry keys ar created:
HKLM\System\CurrentControlSet\Services\Beep\Type
HKLM\System\CurrentControlSet\Services\Beep\Start
HKLM\System\CurrentControlSet\Services\Beep\ImagePath
HKLM\System\CurrentControlSet\Services\Beep\DisplayName
The malware disables the task manager by creating the following registry key:
SoftWare\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Debugger ntsd -d
Similar registry keys are created in order to disable antivirus software too.
After this installation the original file deletes itself by creating and starting a .bat file created for this purpose.
The purpose of the malware is to download and run other malicious software on the user
Delete the aforementioned files and registry keys; In order to delete the file debug.exe you need to kill the process first. You can do this by running the following command: taskkill /IM debug.exe /F.
- task manager or antivirus software doesn't work
- unrequested internet traffic
- presence of the files and registry entries mentioned below
Hot Articles