This malware uses vulnerable x86 instructions to determine if it is running in a VM.
The script finds three potential anti-VM instructions and highlights them in red:
The malware will delete itself if either
str detects VMware. If the
instruction detects malware, the malware will exit without creating its main thread, but it will
create the malicious service MalService.
On our machine running VMware Workstation 7 on an Intel Core i7, none of the techniques succeeded. Your results will vary depending on the hardware and software you use.
See the detailed analysis for an explanation of why each technique did or didn’t work.
You can NOP-out the
str instructions or flip the jump ...