Hi spgSCOTT,
Good observation there even in alerting avast will keep the flak off, ta...
I think the malware is this:
http://www.prevx.com/filenames/X263214202504027998-X1/RUNSERVER.EXE.htmlAnd it became flagged because there was a SC keylog dropper hidden....
compile.exe and runserver.exe both infected with a SC keylog dropper, nice attempt from the malcreant to hide it from virus scanners by password protecting and encrypting the zip file...
See the malcode cocktail here:
[ Changes to filesystem ]
* Creates directory C:.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Deletes file C:\WINDOWS\TEMP\open8999.tmp.
* Creates file C:\WINDOWS\TEMP\compile.bat.
* Creates file C:\WINDOWS\TEMP\zzzz.exe.
* Creates file C:\WINDOWS\SYSTEM32\iexplorer.exe.
* Creates file C:\WINDOWS\SYSTEM32\iexplorer.dll.
[ Changes to registry ]
* Creates key "HKLM\Software\Microsoft".
* Creates key "HKLM\Software\Microsoft\Windows".
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersio n".
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n".
* Sets value "iexplorer"="C:\WINDOWS\SYSTEM32\iexplorer.exe " in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n".
[ Process/window information ]
* Attemps to open C:\WINDOWS\TEMP\compile.bat C:\WINDOWS\TEMP\.
* Attemps to open C:\WINDOWS\TEMP\zzzz.exe C:\WINDOWS\TEMP\.
* Attemps to open C:\WINDOWS\SYSTEM32\iexplorer.exe NULL.
[ Signature Scanning ]
* C:\WINDOWS\TEMP\compile.bat (59 bytes) : no signature detection.
* C:\WINDOWS\TEMP\zzzz.exe (78022 bytes) : W32/SCKeyLog.V.
pol