[R136a1]

Hi folks,

hadn't any time to take a closer look at it. Maybe someone is interested in this malware.

Description can be found here: http://virusradar.com/en/Win32_TrojanDo ... escription


Attached: Win32/TrojanDownloader.Spyrov.A samples

[EP_X0FF]

It is Win32/Zemot downloader, http://blogs.technet.com/b/mmpc/archive/2014/09/09/msrt-september-2014-zemot.aspx Protected by MysticCompressor. Another feature is trashed DACL of directory where Zemot downloader remains.

Autorun via <RandomName> Hex-Rays SA c:\documents and settings\user\application data\qlre\tmvk.exe

You maybe confused by ESET report indicating modification of

The trojan may set the following Registry entries:
[HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­SubSystems]
"Windows" = "%systemroot%\­system32\­csrss.exe ObjectDirectory=\­Windows SharedSection=1024,16837860,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserSe

But I don't see anything like this.

During it work it creates 12 desktops called "Ghost Desktop <number>". Uses WMI AntivirusProduct/FirewallProduct to send back information about installed software.

Hooks the following API:

wininet!InternetOpenA
winmm!PlaySoundA
ntdll!NtCreateProcess
user32!MessageBoxA
advapi32!RegEnumValueA
kernel32!GetCursorInfo

Attempts to contact techserl.ru, gerrihant.ru, jympercri.ru, all down.

In attach unpacked 0fb599e1b95ad48e242da60bfe6611b2e92ce854b449914e1b578d61c8f38e35.

https://www.virustotal.com/en/file/e348 ... 433227412/

[sysopfb]

This one was live. Downloaded rerdom for me.