That's "Achtung". Completely like this
http://www.kernelmode.info/forum/viewto ... 241#p12241
Strings inside additionally encrypted.
Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2) Gecko/20100115 MRA 5.3 (build 02546) Firefox/3.6 D o w n l o a d i n g . . . U p d a t i n g f i l e : % s guid=%s&pid=%d&rType=ping guid=%s&pid=%d&rType=pay&pType=%d&code=%s X-Cache-ID: 2000 Software\Microsoft\Windows\CurrentVersion\Run SkypePM numeriskbesla.com nasharkerbala.com hawryshscrimm.com arheitzoons.com ceruseschangki.com xenephonklynge.com awalcocaulinar.info
So far I found these on BH EK serving this trojan as payload.
94EC2BB708034381327FB695666B5911B8673F67
E332280D80E37D3C8EC8B63D6BB81388BF0652BB
5AD4862C8ABCA9FB1867D2721BE030E10A6D9D20
B61965FE0C9D2018330F03A01D992221A8B94123
BA504A4B8916FED9184D9E2E8CB9C41F5F8BFEBC
DA1BA5B04F7823F553BDDA5BE01818380CAC5AB2
Sirefef, Ransom and FakeAV and legit Windows Calc as bonus.
Old known buddies migrating from one IP to another with their crapware pack.
