[gjf]

And one more info for those who tries to analyse it: I am not sure, but some versions of this malware detects locale which differs from Russian and does not infect system in this case, possibly because of extortion habit.

[gjf]

Tuanloc, yup, ThreatExpert gave very detailed report, aha! :D

[EP_X0FF]

It's also crashed on my real test machine (Windows XP SP3 Ru, E6700) and inside Anubis http://anubis.iseclab.org/?action=resul ... format=txt
Are you sure it is working?

[gjf]

All three samples? Hm, I am absolutely sure it is working ones.

OK, let me double check this.

[EP_X0FF]

No, I actually tried only Install_Digital-Access_v.9251.exe :)

[gjf]

Houston, we have a problem. Unfortunately my colleague just told me that this rootkit during installation asks some host for activation. Without activation the installation process fails. It should be noted the code/sms number comes with this activation as well.

So - too bad, but I believe the investigation of this is too complicated :(

[EP_X0FF]

Below is analysis made by one of sandbox I'm using. Process seems to be executed and some actions were done.

[gjf]

Below is analysis made by one of sandbox I'm using. Process seems to be executed and some actions were done.

Sure they have to be done: connect to host, show the error window :)

[vaber]

Digital-Access rootkit is the same as max++ from this thread
http://www.kernelmode.info/forum/viewto ... ?f=16&t=23

[ConanTheLibrarian]

Is there a recent sample? It is has morphed more since this article and I would like to study the newest samples.