The Moth Trojan

The Moth Trojan is a very interesting trojan since it is the first one I have seen writen in WMI (Windows Management Instrumentation) a place where I have seen very little forensic information and problably this cincepts is in used in the wild. This type of trojan is easy to detect do to the way it inserts it self into the WMI namespace but lets be honest how many HIPS, AV and admins check the WMI namespace for changes?