This is a non-technical account of what's going on when screwing with the trojan file.

During attempt to download the file from AntiOnline, it gets flagged as a variant of IRC/SdBot trojan.
If I allow the download, once saved, the picture005.zip file gets flagged as a variant of Win32/TrojanDownloader.Adload.NAI.
When doubleclicking on the zipped file, I find the picture005.pif file.

Extracting and doubleclicking on the picture005.pif file sends a download command to a Apache server at IP 209.188.31.15 which downloads the comhost.zip file (WinRar'd), expands it and installs comhost.exe, manager.exe, mc-110-12-0000488.exe and msnupdate.exe.

It installs (among other things) a c:\windows\wmiapsv.exe process at PID 3848 which I killed a couple times (for the fun of it) and a WinRAR self-extracting archive window popped up screaming,
Extracting manager.exe
Extracting mc-110-12-0000488.exe
Extracting msnupdate.exe
CRC failed in msnupdate.exe
Unexpected end of archive

**Whoops....sorry if I punched the Trojan in the eye... My bad!

Basically, the trojan installs a protected kernel process which re-replicates the basic trojan install in case of problems.

Comhost.exe, itself, is a UPX executable and packed with UPX version 1.20.
Comhost.exe contains (and is not limited to) the following:
A S K N E X T V O L G E T P A S S W O R D 1 L I C E N S E D L G R E N A M E D L G R E P L A C E F I L E D L G S T A R T D L G D V C L A L

Some more Comhost.exe fun:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>

****I noticed that this trojan writer has access/used Soft-Ice, a kernel mode debugger which dates back to the late 80's. Evidently he/she/they know a bit about programming.****

For kicks, IP 209.188.31.15 has a few open ports (not all inclusive):

209.188.31.15 80 TCP Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-16 World Wide Web HTTP
209.188.31.15 21 TCP File Transfer [Control]
209.188.31.15 22 TCP SSH Remote Login Protocol
209.188.31.15 25 TCP Simple Mail Transfer
209.188.31.15 113 TCP Authentication Service
209.188.31.15 199 TCP SMUX
209.188.31.15 389 UDP Lightweight Directory Access Protocol
209.188.31.15 6838 UDP Possible is used by trojan (UDP) - Mstream

I don't have time today to give a step by step listing of what it actually does, I must get back to work.

Have fun.