The malware come from: http://vxvault.siri-urz.net/ViriFiche.php?ID=23179
Hosted on the site of a deputy.
Create a mutex:
If all names are take and in read only mode the malware is trapped on infinit loop :)))
Write the file:
and if he fail to write he will Copy it:
Add a registry persistence:
Launch the process:
Encode something (i've not checked what)
Call the C&C
And fail because the first is dead, so retry with 18.104.22.168
This one is cool because coder leaved comments for each action...
I tried to trigger it to send data but i've not succeeded yet.
I will see the rest later.
Alina is interesting i've found many version: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1756&start=40#p18008
Still i've not checked these files for the moment, i don't know differences.