First it collected very specific configuration data from the targeted machine—information about directories, program files, and other resident data—then combined the names of each file, one by one, with the name of the top directory in the Windows Program Files folder on the machine. To this string of data it added a special value, then ran it through the MD5 hash algorithm 10,000 times, rehashing the resulting hash to produce a new hash each time.25 If, at the end, it generated the correct hash it was seeking, the malware proceeded to the next step.
That’s intense, and seems it could be really prone to false negatives unless they had continuous access to target machines?
