Method of Infection
Some websites trick the user by displaying deceptive pop-up ads that may appear as regular Windows notifications with links which look like "Yes" and "No" buttons. No matter which "button" that the user clicks on, Mendoza will install on the user's computer through a backdoor and will infect the user's system without their knowledge or consent.
Mendoza changes the user's computer's desktop background, hijacks the user's browser, spies on the user, and replaces system files (all without the user's knowledge or permission). It can also re-install itself even after it is removed by antivirus software.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"