I downloaded the file off:
https://bitcointalk.org/index.php?topic=353317.20 -> malware://ge.tt/7b0tCb71/v/0
MD5SUM
\373a8c958464d1fb665755e9ea2500b4 *Downloads\\BitCoin Miner.exe
It is a self-extracting RAR archive (
Proof)
Inside, there are
several suspicious-looking files.
The VBS launched has this code inside:
CreateObject("WScript.Shell").Exec "cMegS.exe mzBrYaXnW.SIM"
cMegS.exe is a renamed AutoIt interpreter, and mzBrYaXnW.SIM is script, filled with blank lines so it's not easily read.
Let's clean it up: >findstr ".." mzBrYaXnW.SIM>malware.au3
My AV software recognizes it as Win32/Injector.Autoit.YC
Besides doing some evil things, it decrypts and loads QTj.MUK...
Let's decrypt it ->
https://www.virustotal.com/en/file/7d1d803aeb3f20310c3c1dfb3d09ee44c1c0593764e045a134dbc9561d80d569/analysis/1386574798/TL;DR - User x55xx77 at https://bitcointalk.org/index.php?topic=353317.20 is distributing malware