Also from an anti virus expert;
“That’s after a long time after ZMist one of the “best” viruses i’ve seen.
It’s indeed highly complex - the encryption algo is medium difficult and the virus uses a lot of tricks. I’ve here some samples with nice antiemulation tricks, such as code performance speed tests (meaning the virus will know when it runs in a virtual environment) and registry dummy - writing tricks, such as trying to write a random value to the registry and trying to read it later and compare it. If not equ or if it doesn’t exist the virus exits. The virus is able to act as space filler, same technic was used by the tschernobyl virus already (CIH). The virus is able to use EPO functionallity, it looks for common API calls after the entry point and hooks/redirects them. Means the virus does not execute its own code/decrypter at a fixed position after the entry point.”
It’s apparently very difficult to clean.