Symantec released some information on a malware affecting the Energy industry. There is nothing new about this malware as far as where is is found. It places files in the %AppData% directory with a random name like "azioklmpx" and then uses Windows system names for the malware. See the excerpt from the Symantec article below.
If you practice Malware Management then you would already be watching this location for new executables. Notably executables that look and are named like typical Windows executables. These names are NOT normal in the User space of AppData.
Infection
The Trojan hides itself in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory, making new folders and renaming itself with well-known file names such as:
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\search.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\ati.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\lsass.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\smss.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\admin.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\key.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\taskmgr.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\chrome.exe
Happy Hunting
@HackerHurricane