[EP_X0FF]

Kill files thats all payload. Sample courtesy of nullptr, he found it and was so kind to share.
Valid digital certificate - Air Software, certification center - COMODO Time Stamping Signer.



However this maybe not a true trojan but a buggy part of some kind of installation. However obviously deleting user files in current directory its kind of malicious behavior.

[nullptr]

It's a buggy online installer for 7-Zip 9.20, that attempts to delete the contents of the %USERTEMP% directory when
it has finished - regardless of installation status.

Due to some brilliant programming, instead of calling FindFirstFileW(...) with (on XP)
C:\Documents and Settings\User\Local Settings\Temp

We get C:\Documents and Settings [terminating null - forgot the backslash] User\Local Settings\Temp meaning
it starts enumerating and deleting from C:\Documents and Settings :lol:

edited because I was bored

[EP_X0FF]

Yes preliminary assumptions were correct. This is not trojan, but piece of code which produces malicious behavior. I will change topic title to not confuse readers.