[markusg]

http://www.virustotal.com/file-scan/rep ... 1292934027

[ConanTheLibrarian]

Highly descriptive, thanks.

[EP_X0FF]

This is trojan dropper. It drops XrBot.exe to Users\UserName\Templates and then executes it. Probably due to buggy code payload wasn't dropped well - executable file is damaged.

XrBot.exe itself is VB autorunner backdoor (c) Dan (C:\Users\Dan\Desktop\HostBooterv3.5\Server\Project1.vbp) with the following functionality:

AutRUSB
DownloadEXEFile
InstallRegistry
Configuration
InstallEXE

Topic title changed.

[markusg]

Windows 7 Loader.exe
http://www.virustotal.com/file-scan/rep ... 1294835080

[EP_X0FF]

Windows 7 Loader.exe
http://www.virustotal.com/file-scan/rep ... 1294835080

This is HostBooter autorunner equal to posted above.

F:\HostBooter\Server\Project1.vbp

[markusg]

Venom.exe
http://www.virustotal.com/file-scan/rep ... 1299863144

[nullptr]

Venom.exe is usual VB autorun junk.
Tries to add USB Autorun.inf entries
Project File: F:\HostBooter\Server\Project1.vbp

Registry start entries in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
%USERPROFILE%\Application Data\winlogon.exe

Some lol features:
BeginEXE
StringGen
MiscFunctions
AutRUSB
DownloadEXEFile
InstallRegistry
Configuration
InstallEXE

Connects to:
* hxxp://ahpvenomz.no-ip.biz
* hxxp://www.maxmind.com
Decrypted file report 29/42 - http://www.virustotal.com/file-scan/rep ... 1299904478

[markusg]

(Nero 10 Crack).exe
http://www.virustotal.com/file-scan/rep ... 1305571034

[Xylitol]

(Nero 10 Crack).exe
http://www.virustotal.com/file-scan/rep ... 1305571034

exe powered by HostBooter v4.1
in attachement HostBooter killer for remove the infection (exe powered by the same guys who developed HostBooter)

[markusg]

Adobe PhotoshopCS5 Keygen.exe
http://www.virustotal.com/file-scan/rep ... 1312467287