The malware copies itself to C:WindowsSystem32drvstore.exe (or C:WindowsSysWOW64drvstore.exe) and runs itself from that location.
The malware enumerates the drive letter that has a removable drive, i.e. D: and calls itself with that drive letter as an argument.
The malware enumerates all of the files and folders to the given directory.
The malware encrypts the file or folder with the encryption key located at ‘%USERPROFILE%AppDataLocalTempdrvstore.key’.
The malware uses the CryptUnprotectData function to decrypt the file or folder.
The malware changes the file or folder’s permissions to 0x20, i.e. Read and Execute for Everyone.
The malware copies itself again to the C:WindowsSystem32drvstore.exe (or C:WindowsSysWOW64drvstore.exe) and runs the file from this location.
The malware sleeps for 15 seconds leaving time for the victim to mount the infected removable drive.
A DLL is being dropped and executed in a separate instance of cmd.exe (or csrss.exe in Windows 2000).
The malware enumerates running processes and finds cmd.exe (or csrss.exe in Windows 2000) to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(1)’ appended; i.e. notepad(1). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(2)’ appended; i.e. notepad(2). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(3)’ appended; i.e. notepad(3). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(4)’ appended; i.e. notepad(4). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(5)’ appended; i.e. notepad(5). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(6)’ appended; i.e. notepad(6). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(7)’ appended; i.e. notepad(7). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(8)’ appended; i.e. notepad(8). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(9)’ appended; i.e. notepad(9). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(10)’ appended; i.e. notepad(10). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(11)’ appended; i.e. notepad(11). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a new process with the name of the running process with an extra ‘(12)’ appended; i.e. notepad(12). The first ‘ (single quote) is used to start notepad normally and the second ‘ (single quote) is used to inject the exploit.
The malware creates a newrn
