Note that each “while” loop is performing string decryption on the sequences of bytes shown in the variables above the loop. When following the execution in a debugger, the strings are decrypted, and some meaningful indicators of VM checks are visible. (See appendix for decryption function details.)

In this code snippet, three checks are evident:

• MAC address check
• Checking the presence of “dbghelp.dll” — debugger indicator
• Checking the presence of “sbiedll.dll” — sandboxie indicator

By following the traps and patching the system accordingly, the environment is prepared for Gootkit to run in.

The rest of the checks include:

• Compare user name to “CurrentUser”/”Sandbox”
• Compare computer name to “SANDBOX”/”7SILVIA”
• HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemSystemBiosVersion” compare with AMI, VirtualBox, BOCHS, INTEL 640000, 55274-640-2673064-23950, and other serials

After patching a virtual machine and running the sample, it’s clear that it is no longer stuck in an endless loop and that the sample continues its propagation in the system.