Fake AV Malware | Joachim De Zutter
File: 5939.exe
Filesize: 427520
MD5: c2501464dcbc958f6d48f13c3cbe3a20
SHA1: 1d19b653bf8cadeb140204713424b45bba355f9c
SHA256: bfef3a0b015209312f815db7d30059c4e13f74199867b23501d1dd0416dd403f

Created and executed the file /Documents and Settings/All Users.*/Application Data/jFjNiFf01843/jFjNiFf01843.exe and deleted itself.
Filesize: 427520
MD5: 3fc3b9ff585bfa9ce75731e9b17080bb
SHA1: 3302d19f69a915af654069bf51bb01c24fb0eb49
SHA256: 14bd7f9c2c1a36612fdc022ac9300428a21742de93e197c478be36c232dcf3d0

A file named /Documents and Settings/All Users.*/Application Data/jFjNiFf01843/jFjNiFf01843 was created.
Filesize: 64
MD5: 0c858fb43ba92c90bb39c9690341013a
SHA1: 34f39c18eedc6645b182f6dd440dde88d66c3485
SHA256: 0996c02c797b31b36571b0e1980e9bc77441e63de8b2a21f21598b4399013337

Tried to open an HTTP connection to retrieve:
http://91.193.194.40/install.php?affid=01843
http://91.193.194.40/lurl.php?affid=01843

Creates files under C:\Documents and Settings\%USERNAME%\Local Settings\Temp

http://www.utrace.de/?query=91.193.194.40
Provider: Odessa Hosting Service (Latvia)

http://www.virustotal.com/file-scan/report.html?id=bfef3a0b015209312f815db7d30059c4e13f74199867b23501d1dd0416dd403f-1302490918