The exports are
The DLL is deleted from the system using a .bat file.
A .bat file containing self-deletion code is created, as well as a file
named xinstall.log containing the string
Virtual Machine, Install Cancel".
This malware queries the VMware backdoor I/O communication port using the magic value
VX and the action
0xA by using the
in x86 instruction.
To get the malware to install, patch the
in instruction at
0x100061DB at runtime.
To permanently disable the VM check, use a hex editor to modify the static string in the
[This is DVM]5 to
DVM]0. Alternatively, NOP-out the check in OllyDbg ...