A friend of mine who mines scrypt coins, but who otherwise isn't that geeky, discovered an oddly named hidden .zip file in his C: root directory (2014Äê2ÔÂ13ÈÕ18ʱ45·Ö.zip - he doesn't have cyrillic script installed). In it are contained the wallet.dat files for all his cryptocoins (renamed to Bitcoin.dat, Litecoin.dat, etc).
The filename isn't Russian, it's a date/time in Chinese. The trojan sends the wallet files to 23.239.111.68 on TCP port 12730. That IP is assigned to a "Wei Cheng":
[support.gorillaservers.com]
%rwhois V-1.0,V-1.5:00090h:00 support.gorillaservers.com (Ubersmith RWhois Server V-2.4.0)
autharea=23.239.96.0/19
xautharea=23.239.96.0/19
network:Class-Name:network
network:Auth-Area:23.239.96.0/19
network:ID:NET-2827.23.239.111.64/27
network:Network-Name:23.239.111.64/27
network:IP-Network:23.239.111.64/27
network:IP-Network-Block:23.239.111.64 - 23.239.111.95
network:Org-Name:cheng, wei
That IP was also listed as a static node in the QT configuration file for JunnonCoin, a Chinese altcoin:
https://bitcointalk.org/index.php?topic=413045.0I'm going to go ahead and say this is a Chinese wallet-stealing operation, not Russian.