The malware checks the status of the
flags to determine if it is being run in a debugger.
If any of the malware’s anti-debugging techniques succeed, it will terminate and remove itself from disk.
You can manually change the jump flags in OllyDbg during runtime, but doing so will get
tedious since this malware checks the memory structures so frequently. Instead, modify the
structures the malware checks in memory either manually or by using an OllyDbg plug-in like PhantOm
or the Immunity Debugger (ImmDbg) PyCommand
See the detailed analysis for a step-by-step way to dump and modify the structures in OllyDbg.
Both the OllyDbg plug-in PhantOm and the ImmDbg PyCommand ...