Different Malware - updated v3

**Matt** · 2009-05-15, 13:42

optimized detection rules

Category: Trojan

Code:

:: Different Malware - updated v3
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-05-09}

// Smitfraud:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","cinnamomum","cinnamomum={93ac7c30-3878-4eaa-9420-7977285df5b1}"

// Use RegyRemove; remove "userinit" from "UserInit" entries, and "explorer.exe" from "Shell" entries.
// Im folgenden handelt es sich bei der Datei "ntos.exe" um Trojan.Downloader-AWJ und bei der Datei "codeblocks.exe" um Trojan.Spambot.2424 malware:
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","C:\WINDOWS\system32\ntos.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","C:\WINDOWS\system32\codeblocks.exe"

// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\codeblocks.exe,"
// Choose the BrowserHelperEx variant to flag the file as well, unless name is "(no name)".
//BrowserHelperEx:"(no name)","flagfile=1"
// Virtumonde:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{97b1987b-3b13-44c3-8dcd-e64b775a8ab9}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{97b1987b-3b13-44c3-8dcd-e64b775a8ab9}"

//Beim folgenden Eintrag handelt es sich um Trojan-Downloader.Win32.Agent.brhg bzw. Trojan:Win32/Ertfor.A:
//BrowserHelperEx:"C:\WINDOWS\system32\sdfgerfgf3f.dll","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{e2ba40a2-74f3-42bd-f434-2604812c8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{e2ba40a2-74f3-42bd-f434-2604812c8953}"

// Virtumonde lässt grüßen:
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"Alopozanijud","C:\WINDOWS\Lfufiqem.dat","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Alopozanijud"

File:"<$FILE_EXE>","<$WINDIR>\Lfufiqem.dat"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1

AutoRun:"*","<$SYSDIR>\kozezupo.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","75100494"
File:"<$FILE_EXE>","<$SYSDIR>\kozezupo.dll"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1

AutoRun:"*","<$SYSDIR>\bupufana.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM76233708"
File:"<$FILE_EXE>","<$SYSDIR>\bupufana.dll"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1

AutoRun:"*","<$SYSDIR>\ronigofu.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","buputiruvo"
File:"<$FILE_EXE>","<$SYSDIR>\ronigofu.dll"

// Und nochmal Trojan:Win32/Ertfor:
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"*","C:\DOCUME~1\Generic\LOCALS~1\Temp\poiaw3w.exe","flagifnofile=1"
//i: Bei RegyValue hinten "" oder "*" zu Riskant. Gibt FP siehe SDDT
//e: RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\",""

File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\poiaw3w.exe"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1

AutoRun:"Windows Resurections","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Resurections"

File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\poiaw3w.exe"

// Trojan.Downloader:
AutoRun:"Diagnostic Manager","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Diagnostic Manager"
// Die folgende Dateibezeichnung ist zufällig, wollte aber hier kein Sternchen machen, da ja dann alle *.exe Dateien gefunden werden, oder? :
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\4162512632.exe"

// Virtumonde:
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bikuhagu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rijolusi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bupufana.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\deporare.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kumeweva.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\bikuhagu.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\rijolusi.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\bupufana.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\deporare.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\kumeweva.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SSODL","SSODL={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bikuhagu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","STS","STS={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bikuhagu.dll"

// Noch einmal Trojan:Win32/Ertfor:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","sdfg54y54yhhgth6w4efvrg","sdfg54y54yhhgth6w4efvrg={E2BA40A2-74F3-42BD-F434-2604812C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sdfgerfgf3f.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","as3iur98wajkef3wgf3","as3iur98wajkef3wgf3={A5AF42A3-94F3-42BD-F634-0604832C897D}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yaubfh983ind.dll"

// Virtumonde:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{c3689467-57e8-4291-b526-497572c3d3da}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{c3689467-57e8-4291-b526-497572c3d3da}"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1

AutoRun:"*","<$SYSDIR>\buhegavu.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM0766f33c"

File:"<$FILE_EXE>","<$SYSDIR>\buhegavu.dll"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1

AutoRun:"*","<$SYSDIR>\wamejawe.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","0455c0a0"

File:"<$FILE_EXE>","<$SYSDIR>\wamejawe.dll"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1

AutoRun:"niyirafolo","<$SYSDIR>\","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","niyirafolo"

File:"<$FILE_EXE>","<$SYSDIR>\pakabape.dll"
// You NEED the name of this LSP and use it with Winsock, do NOT just use this file command!

// Adjust parameters to remove only bad libraries!

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\buhegavu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\lohulatu.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\buhegavu.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\lohulatu.dll"
//
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SSODL","SSODL={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"

File:"<$FILE_LIBRARY>","$SYSDIR>\buhegavu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","STS","STS={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
File:"<$FILE_LIBRARY>","$SYSDIR>\buhegavu.dll"
// Hierbei handelt es sich wieder um Trojan:Win32/Ertfor:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","KJhaiufhw3nrih7wefywjfsdfd","KJhaiufhw3nrih7wefywjfsdfd={D5BF49A2-94F1-42BD-F434-3604812C807D}"
// BrowserHelperEx:"C:\WINDOWS\system32\afnoinkdsfe.dll","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"autochk","<$SYSDIR>\autochk.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","autochk"

File:"<$FILE_EXE>","<$SYSDIR>\autochk.dll"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"autochk","C:\DOCUME~1\NETTER~1\protect.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","autochk"
File:"<$FILE_EXE>","C:\DOCUME~1\NETTER~1\protect.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","sdfsefsfdvdubgiungfuyd","sdfsefsfdvdubgiungfuyd={C2BA40A1-74F3-42BD-F434-12345A2C8953}"

File:"<$FILE_LIBRARY>","<$SYSDIR>\afnoinkdsfe.dll"


// Virtumonde:
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sejuluto"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sejuluto.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\sejuluto"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\sejuluto.dll"
// Doing something wrong here can break your system, take special care!

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0026DDA"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tejoluze.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\luwapeta.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\johabuji.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nazoduse.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yowujeje.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\fuwojake.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vidimofu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kiduruka.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\tejoluze.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\luwapeta.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\johabuji.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\nazoduse.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\yowujeje.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\fuwojake.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\vidimofu.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\kiduruka.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\filoloye.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\oicfcd.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\daluwimo.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\filoloye.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\oicfcd.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\daluwimo.dll"

Downloads: 0	Rating: 10 (rated by 2 users)

Thread: Different Malware - updated v3

Thread Tools

Display

Different Malware - updated v3

Posting Permissions