Ok, now, this one was sent to me actually, and I simply fell into it (very ashamed!).
As far as I’ve checked (using a VirtualBox machine with snapshots and checking for new files in the system after executing the virus, before and after a reboot):
It copies some stuff to your “IE5-something” folder.
It copies some stuff into “C:\Intel..” folder. It logs started apps in a file called “77”.
It puts two files to be executed on startup (logon) in the “…\Windows\CurrentVersion\Run” registry entry.
Probably a one or two more things, I’m writing here from my memory…
Anyway, I think it should be added as a trojan or something and completely eliminated.
If you guys at AVAST need more details just say so. I’m going to have more checks as well, so I’ll probably report back.
I think I’ve made the logs AFTER I’ve removed that trojan (BTW, mine is of another version, as it doesn’t sit in “%system%/…” but in “%user%/roaming…”), that’s why you cannot see anything suspicious about them.
Anyway the sympthom is, as I recall:
Puts two “run” records in HKLM & HKCU that target “MSDSC.exe”.
There’s also, in the user’s %temp% folder a file called “svchost.exe”.
Next to the “MSDSC.exe” file there’s a file called “77” and it’s simply a log of executed programs and key-strokes, hence a keylogger.
Anyway, don’t you test it? This one is undetected by AVAST yet, so I guess you would want to add it to the virus list or something…
Good news is that the virus in its packed form is now DETECTED BY AVAST - great!
Less good news is that the two EXE files I’ve managed to see that this virus has are still undetected. They are the virus itslef (keylogger).
So, as you’ve said - I’ve uploaded these two along with a produced file called “77” which is a log of keys.
Hope there’s nothing else in that virus, otherwise they own me now!
Of course that the unpacker (the main executable) is enough to stop it from spreading, but what about existing infections?? It’ll never know about them.