Sunbeltblog comments
They are HUUUGE....17MB!
Not a very nice santa at all... wants to mess with my sandbox as soon as I pressed install 
Got 4.exe's off it and 2.scr files.
Can't seem to get the same result as the file you submitted to VT. Unless it is that huge 16mb .scr in system32 which you managed to disect?
http://www.virustotal.com/
analis...0cad5bfd110419d
That's the only one I got a hit on.
I just put in one of these .scr files (the the Santa and the Matrix).
Also -- the one's I checked were the small files, not the big ones.
whats it with these rogues / malwares now all being in german. there is even a new rogue programme entirely for german user bas (festplattencleaner[dot]com) -> http://www.malwarebytes.org/foru...?
showtopic=3870
Geez.
Thanks for the info Alex. Might not be installing properly inside my sandbox... will try on a virutal machine instead :P
Baz, this is part of the loads.cc group. very nasty stuff.
Baz, these don't work on a Virtual machine.
Plan C.... very old celeron machine with an unpatched winxp 
Nice....
Lots of registry changes and other bits, including IE security settings and such like, looks like it also drops some ctfmon.exe into all usersapplication data
Connects to remote servers for following:
Connect out: 58.65.237.121:80 - [geil-de .info]
Request: GET /admin/?&v=scr
Response: 200 "OK"
Request: GET /admin/manda.php?id=1824246646&v=scr
Response: 200 "OK"
Connect out: 195 .12.48.214:80 - [molyneuxit .co.uk]
Request: GET /scr/download/loader.exe
Response: 404 "Not Found"
Managed to get a loader.exe from that manda.php script. If you change the UID to certain numbers then it downloads an extra surprise on top of the infection already present.
And that loader.exe downloads another nasty surprise...just keeps going and going!
VT result: http://www.virustotal.com/
analis...c65bceb0ab283c0
Commenting by HaloScan
