When started, the malicious script will first thing proceed in decrypting itself. After this operation has been done, the actual malicious behaviour is started.
The malware will then proceed in copying itself both in the windows and system folder, as '.vbe. On the machine used for the analysis, the malware copied itself as:
After the copying operation has been performed, the malware will set the following registry value to make sure it gets executed when the machine next boots up:
Next, the malware will proceed in modifying the following registry values in order to bypass firewalls:
The malware will then try to spawn the copy of itself located in the system folder. However, due to the naming selected for the file, the operation will fail. After this, the malware will proceed in hiding its own files from the system's user, by modifying the following registry value:
and will create the file '.ini in the system folder.Such file is an autorun file that will force the execution of the script. In addition to this, the malware will copy both the '.ini and '.vbs files in the root of available drives.