This malware uses vulnerable x86 instructions to determine if it is running in a VM.

The script finds three potential anti-VM instructions and highlights them in red: sidt, str, and sldt.

The malware will delete itself if either sidt or str detects VMware. If the sldt instruction detects malware, the malware will exit without creating its main thread, but it will create the malicious service MalService.

On our machine running VMware Workstation 7 on an Intel Core i7, none of the techniques succeeded. Your results will vary depending on the hardware and software you use.

See the detailed analysis for an explanation of why each technique did or didn’t work.

You can NOP-out the sidt and str instructions or flip the jump ...