[markusg]

http://www.virustotal.com/file-scan/rep ... 1291725015

[markusg]

http://www.virustotal.com/file-scan/rep ... 1291740511

[Meriadoc]

Header modification, MSIL Injection warrants a look in vmware xpsp3 :)

Drops Win32.Spyrat http://www.symantec.com/security_respon ... 99&tabid=2

C:\WINDOWS\system32\install (hidden+system)

Registry entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{261B00RD-4480-DW02-A1BH-7DL00FD600NL}\StubPath" created set to <C:\WINDOWS\system32\install\svchost.exe>

Registry entry "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Policies\Explorer\Run\Policies" created set to <C:\WINDOWS\system32\install\svchost.exe>

Registry entry "HKEY_CURRENT_USER\software\microsoft\windows\currentVersion\Policies\Explorer\Run\Policies" created set to <C:\WINDOWS\system32\install\svchost.exe>

Registry entry "HKEY_CURRENT_USER\software\microsoft\windows\currentVersion\Run\HKCU" created set to <C:\WINDOWS\system32\install\svchost.exe>

Registry entry "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\HKLM" created set to <C:\WINDOWS\system32\install\svchost.exe>

injects Process IEXPLORE.EXE

opens backdoor

[Meriadoc]

Creates a directory C:\WINDOWS\system32\Windows (hidden+system)
file : winlogon.exe

opens backdoor

sqlite3.dll http://www.virustotal.com/file-scan/rep ... 1291738997

[EP_X0FF]

http://www.virustotal.com/file-scan/rep ... 1291740511

Crypted with NET framework based cryptor.
Trivial stealer + backdoor, and I would say it is very well known trojan.
Executable written on Delphi.

http://www.virustotal.com/file-scan/rep ... 1291803307

From interesting pars of this trash, inside it contains detection of kernel mode based debuggers, such as Syser and SoftIce.

\\.\Syser \\.\SyserDbgMsg \\.\SyserBoot \\.\SICE \\.\NTICE

and VirtualBox, Sandboxie detection + a lot of others (if somebody interested all detection code placed at @0040B0F0, see attach from Meriadoc).

VBoxService.exe SbieDll.dll

Topic title changed to malware name.

[EP_X0FF]

http://www.virustotal.com/file-scan/rep ... 1291725015

Creates a directory C:\WINDOWS\system32\Windows (hidden+system)
file : winlogon.exe

opens backdoor

Didn't found any new winlogons in system.

This trojan starts actual winlogon copy from windows\system32 directory and maps payload code to newly started winlogon memory. Winlogon binary itself is not malicious.

Payload code looks similar to http://www.kernelmode.info/forum/viewto ... f=16&t=518.

I think it's the modification of the same stuff.

edit: forum software killed posts order.

[markusg]

http://www.virustotal.com/file-scan/rep ... 1291894474

[EP_X0FF]

http://www.virustotal.com/file-scan/rep ... 1291894474

Yet the same.

New copy of winlogon.exe spawned and payload code (crypted inside container in .NET dropper) mapped. Payload contains VM detection code, described above.

[markusg]

hi,

http://www.virustotal.com/file-scan/rep ... 1292673853

[EP_X0FF]

After additional analysis (thanks to topic starter for pointing on this) actual malware found. It is second file placed in container together with MS Office 2007 keygen.
Some sort of Spyrat modification.

Malware attached.