A Census-Taking Trojan?

We recently came across a new threat that is distributed through various adult websites. The Trojan masquerades as a codec that is required to view a video, and when downloaded and executed, displays a fake installer:

The Trojan also creates and executes a dropper executable, which in turn creates a DLL file in the %System% folder. The dropper executable then deletes itself.
The main body of the dropped DLL is encrypted, and to make analysis more difficult, the decryption key itself is encrypted using a value that is unique to the compromised computer. This is not a new idea; we’ve seen this technique used before, for example in the infamous Backdoor.Rustock variants. In this case, the unique value is 16 bytes in length and is generated from the creation times of the System and System Volume Information folders. This unique value is used to encrypt the main DLL decryption key, which is then embedded in the DLL file. The body of the Trojan now cannot easily be decrypted and/or analyzed on another computer.
When the main DLL is executed, it retrieves the creation times of the System and System Volume Information folders to generate the unique value; the same operation as when the Trojan was installed. It then uses the unique value to decrypt the main decryption key, which is subsequently used to (continue reading...)