The malware checks the status of the BeingDebugged, ProcessHeap, and NTGlobalFlag flags to determine if it is being run in a debugger.

If any of the malware’s anti-debugging techniques succeed, it will terminate and remove itself from disk.

You can manually change the jump flags in OllyDbg during runtime, but doing so will get tedious since this malware checks the memory structures so frequently. Instead, modify the structures the malware checks in memory either manually or by using an OllyDbg plug-in like PhantOm or the Immunity Debugger (ImmDbg) PyCommand hidedebug.

See the detailed analysis for a step-by-step way to dump and modify the structures in OllyDbg.

Both the OllyDbg plug-in PhantOm and the ImmDbg PyCommand ...