Another sample. Packer changed again. Also, this version no longer creates the \??\ACPI#PNP0303#2&da1a3ff&0 symlink, but it creates \??\%08X instead. The number in the format string is retrieved by XORing all four 32-bit values from the MD5 of Systemroot volume creation time. I don't have dropper for it, but it can be installed by running an old ZeroAccess dropper, and replacing infected driver in System32\drivers.
Attachments
Password: malware
(87.16 KiB) Downloaded 67 times
(87.16 KiB) Downloaded 67 times