PDA

View Full Version : Detection for Rogue.Antivirus2008


NJones
2008-07-25, 13:11
Hi guys,
I just have read that there are a lot of users having problems with Antivirus2008 that is not detected by Spybot yet.
So I tried to create some detection rules with the Spybot OpenSBI Editor. I am not sure if I did everything right so I will publish it here:



:: Rogue.Antivirus2008
// {Cat:Malware}{Cnt:1}
// {Det:N.Jones,2008-07-25}
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","rhc553j0e9cv"
UninstallByKey:"rhc553j0e9cv","0"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\","AntivirXP08"
AutoRun:"SMrhc553j0e9cv","<$PROGRAMFILES>\rhc553j0e9cv\rhc553j0e9cv.exe","filesize>=6000000,filesize<=15000000"
StartmenuItem:"Antivirus XP 2008.lnk","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=1,filesize<=5000"
StartmenuItem:"How to Register Antivirus XP 2008.lnk","filesize>=1,filesize<=5000"
StartmenuItem:"License Agreement.lnk","<$PROGRAMFILES>\rhc553j0e9cv\license.txt","filesize>=1,filesize<=5000"
StartmenuItem:"Register Antivirus XP 2008.lnk","filesize>=1,filesize<=5000"
StartmenuItem:"Uninstall.lnk","<$PROGRAMFILES>\rhc553j0e9cv\Uninstall.exe","filesize>=1,filesize<=5000"
File:"<$FILE_DATA>","<$PROGRAMFILES>\rhc553j0e9cv\database.dat","filesize>=1000,filesize<=3000"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\rhc553j0e9cv\license.txt","filesize=19052,md5=A4CEABD89CABE614F390DD8C7E1B26D2"
File:"<$FILE_EXE>","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=600000,filesize<=20000000"
File:"<$FILE_DATA>","<$PROGRAMFILES>\rhc553j0e9cv\rhc553j0e9cv.exe.local","filesize<=1"
DesktopIcon:"Antivirus XP 2008.lnk","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=1,filesize<=5000"
QuickLaunchIcon:"Antivirus XP 2008.lnk","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=1,filesize<=5000"
File:"<$FILE_EXE>","<$SYSDIR>\*.exe","filesize=94208,md5=CE2A2A5A6F1E7A5D6FA31F5277EAB9AB"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKCU","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKCU\RunOnce","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKLM","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKLM\RunOnce","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\StartMenuAllUsers","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\StartMenuCurrentUser","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\BrowserObjects","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Packages","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\rhc553j0e9cv","filename=database.dat"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\Antivirus XP 2008"
DownloadFile:"*.exe","filesize=1394196,md5=C5B6DD099BCEAAC80510BEADDF1C0312"


Maybe somebody can have a look on it and give me some feedback

regards,
N.Jones
Buster
2008-07-25, 14:13
Welcome NJones and thanks for sharing these detection rules. Looks quite good so far. But I guess this ID "rhc553j0e9cv" isn't static. Can you send these files to detections@spybot.info?
NJones
2008-07-25, 20:50
Hello Buster,
I just sent the files to the email adress you mentioned. Before I made my detection rules I installed the samples twice in a virtual machine. Both times the ID was the same but I am quite sure that it will change soon. Is there a way to use wildcards for directories? Or is there another way how I could detect this stuff without using the static name? Additionally I am not sure if I used the startmenu rules in a correct syntax (Is it correctly to use the filerange on that way?)

I am looking forward to hear from you

regards,
N.Jones
MisterW
2008-07-29, 15:21
Hello N.Jones
If you used the same vmware for both of your tests that could be the reason why the name of the directories was the same.
The filerange you used for your startmenu rules is very big. I think it should be ok to use a smaller one. But the syntax is correct.

regards,
Markus