new virus not detected yet

Hi malware fighters,yesterday my friend come to visit me he has a flash memory,he insert it in my system and and i explore it to see autorun.inf file point to removed trojan,after scan the flash memory i ensure all of its continents is safe,i listen some music from it,then i open it again and two files with wired icons has been in it but i don’t give them attention so i copy them to my desktop"the files were already on the flash memory"
today i copy it to my flash memory and boot my lovely test system,rescan files with mse,mbam,dr.web cure it,…
no detection but the name and place of the files make me suspect about them.so let us start shVL"superhacker Virus Lab"
file size:98304 BYTE
CRC32:5EE37A51
MD5:737346D3E6AF163E315DD6CA37BA2984
SHA1:BA570FB389362B2B96AFB9CC753922EACE8CA3C9
created with:microsoft visual basic v6
packer:there is no packer protection
when you run the file a directory crated in:
c:\windows\system32\ias\smss.exe
the executable check for flash memory drivers and copy to it three files:
MSN.exe
MSWINSCK.OCX
autorun.inf
autorun.inf file contain those commands:
[AutoRun]
shell\explore\command=msn.exe
shell\open\command=msn.exe
open=msn.exe
shell\open\Default=1
shell\Scan From Viruse\Command=msn.exe
you can see that the trojan use some social engineering tricks,smss.exe and scan for viruses option,and microsoft name
create a shortcut in the start menu
create startup key:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\RUN
under the name of"System"and it link to"c:\windows\system32\ias\smss.exe"
it try to get some typed information by the keyboard,and change the file wanted.log
try to send collected data to:
“outmail.ste.net.sy”
the creators of file are"as they put their own names in emails in side the files"
“ali.saleh@mail.sy”=Ali Saleh
sami0shraim@yahoo.com”=Sami Shraim
after all the file created by beginner programmers"error handling is missed in the file,hide the file by the normal hide option not like attrib +s +r +h",it made by Syrian pepoles i think,
and may you always wonder why i hate VB here is why,coz a lot of non good,and dumps here learn it and try to do bad,dumb programs with it,the virus has not been detected yet by a lot"or all"security vendors
and i will svan the file using virus total so every security company will get a copy of the file.
here is some important strings from the file:
00404170: IdonotKNow
0040418C: Type The code
00404170: IdonotKNow
004041AC: samishraim123321
00403FE0: Error
00403FC4: File Error
00403FF0: \System32\ias
00404018: autorun.inf
00404034: MSWINSCK.OCX
00404054: \System32\ias\smss.exe
00404088: \System32\wanted.log
004040E4: Software\Microsoft\Windows\CurrentVersion\Run
00404144: .exe
0040415C: System
004046BC: Idonotknow
0040468C: sami0shraim@yahoo.com
00404668: My Master(Sami)
00404640: ali.saleh@mail.sy
0040461C: Natalie-portman
004045F0: outmail.ste.net.sy
00404088: \System32\wanted.log
00403D98: Ddd
00403DB0: dd Mmm YYYY
00403DD4: hh:mm:ss
00403DF4: -0600
00403E08: mail from:
00403E24:

00403E30: rcpt to:
00403E48: Date:
00403E58: From:
00403E68: To:
00403E74: Subject:
00403E8C: X-Mailer: EBT Reporter v 2.x
00403ECC: 220
00403ED8: HELO worldcomputers.com
00403F0C: 250
00403F18: data
00403F28: 354
00403F3C: quit
00403F4C: 221
00404144: .exe
004041E4: MSN.exe
00404144: .exe
00404034: MSWINSCK.OCX
004041F8: \system32\MSWINSCK.OCX
0040422C: \MSN.exe
00404018: autorun.inf
00404244: [AutoRun]
00404270: shell\explore\command=msn.exe
004042B0: shell\open\command=msn.exe
004042EC: open=msn.exe
0040430C: shell\open\Default=1
0040433C: shell\Scan From Viruse\Command=msn.exe
004046E0: SMTP service error, timed out while waiting for response
00404758: SMTP service error, impromper response code. Code should have been:
004047E8: Code recieved:
00404144: .exe
00404034: MSWINSCK.OCX
00404054: \System32\ias\smss.exe
00404144: .exe
00404810: \System32\MSWINSCK.OCX
\\\\\\\\\\\\\\\\\\\
removing steps:
kill the process smss.exe"ensure that you kill the process that belong to c:\windows\system32\ias\smss.exe",DONT TERMINATE smss.exe in the c:\windows\system32\smss.exe
remove the file smss.exe from c:\windows\system32\ias\smss.exe
remove the startup entry that i list above,i simply run service script by ESET sysinspector
\\\\\\\\\\\\\\\\\\\
shVL is a really good mix of tools that used for malware analyzing contain tools like:,olly debugger,PE explorer,eset sysinspector,rootkit revealer,RKU,hijack free,reg mon,file mon,reg shot,…and a lot a lot of good tools,and also built-in house tools like:HD"hacker defender,and i dont know if there is a program in the net have the same name",“WWS,weak wall scan is a tool try to detect exploiting attempt in a local system”,Pegasus is a tool try to get informations from file"not a hex editor"and put them together,…anyway thanks c++,and python,java do help me here,sorry sun.