Code:
:: New Malware v22
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-08-15}
// Malware.FraudLoad:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4D88F653-4230-4af1-A6A3-54B8D3CD7DF4}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4D88F653-4230-4af1-A6A3-54B8D3CD7DF4}"
BrowserHelperEx:"Microsoft copyright","filename=msfacat32.dll"
BrowserHelperEx:"Microsoft copyright","filename=msafras32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msfacat32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msafras32.dll"
// Malware.Smitfraud:
//O4 - HKUS\.DEFAULT\..\Run: [A00FE2239.exe] C:\WINDOWS\TEMP\_A00FE2239.exe (User 'Default user')
//O4 - HKUS\S-1-5-18\..\Run: [A00F1AA16.exe] C:\WINDOWS\TEMP\_A00F1AA16.exe (User 'SYSTEM')
//O4 - HKUS\S-1-5-18\..\Run: [A00FE3A17.exe] C:\WINDOWS\TEMP\_A00FE3A17.exe (User 'SYSTEM')
//O4 - HKUS\.DEFAULT\..\Run: [A00F1AA16.exe] C:\WINDOWS\TEMP\_A00F1AA16.exe (User 'Default user')
// PUPS.DoubleD:
//Wieder ein user, der sich über lästige Werbung und Pop-Ups beschwert; mindestens der erste Teil dürfte neu sein
//BrowserHelperEx:"(no name)","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00F5B5BA-E3C2-4b70-BF51-42A557914FAD}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00F5B5BA-E3C2-4b70-BF51-42A557914FAD}"
BrowserHelperEx:"*","filename=CashBackAssistantIE.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Nice Prosper\CashBackAssistant\CashBackAssistantIE.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Nice Prosper\CashBackAssistant"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Nice Prosper"
//BrowserHelperEx:"Media Access Startup","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{25B8D58C-B0CB-46b0-BA64-05B3804E4E86}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{25B8D58C-B0CB-46b0-BA64-05B3804E4E86}"
BrowserHelperEx:"Media Access Startup","filename=HPIEAddOn.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Media Access Startup\1.5.0.850\HPIEAddOn.dll"
//Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Media Access Startup\1.5.0.850"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Media Access Startup\*"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Media Access Startup"
//BrowserHelperEx:"NP Helper Class","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{35B8D58C-B0CB-46b0-BA64-05B3804E4E86}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{35B8D58C-B0CB-46b0-BA64-05B3804E4E86}"
BrowserHelperEx:"NP Helper Class","filename=NPIEAddOn.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll"
//Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Internet Saving Optimizer\3.4.0.4340"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Internet Saving Optimizer\*"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Internet Saving Optimizer"
// Rogue.AdvancedRemover:
Winsock:"<winhelper.dll>","0"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winhelper.dll"
// Rogue.AdvancedVirusRemover:
AutoRun:"Advanced Virus Remover","<$PROGRAMFILES>\AdvancedVirusRemover\PAVRM.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Advanced Virus Remover"
File:"<$FILE_EXE>","<$PROGRAMFILES>\AdvancedVirusRemover\PAVRM.exe"
// Rogue.MalwareDoctor:
//AutoRun:"Malware Doctor","C:\Documents and Settings\LocalService\Application Data\691447002.exe","flagifnofile=1"
AutoRun:"Malware Doctor","<$APPDATA>\691447002.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Malware Doctor"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Malware Doctor"
//File:"<$FILE_EXE>","C:\Documents and Settings\LocalService\Application Data\691447002.exe"
File:"<$FILE_EXE>","<$APPDATA>\691447002.exe"
// Rogue.PersonalAntivirus:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A77D3539-581D-450C-9E44-A84C415A6172}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A77D3539-581D-450C-9E44-A84C415A6172}"
BrowserHelperEx:"*","filename=msxmlm.dll"
BrowserHelperEx:"*","filename=winexplorer.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msxmlm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winexplorer.dll"
// Rogue.PersonalDefender2009:
//AutoRun:"winhpdrv",""C:\Documents and Settings\XXX\Application Data\Google\xtgoj6119471.exe","flagifnofile=1"
AutoRun:"winhpdrv","<$APPDATA>\Google\xtgoj6119471.exe","flagifnofile=1"
AutoRun:"winhpdrv","<$APPDATA>\Google\runhh6110411.exe","flagifnofile=1"
AutoRun:"winhpdrv","<$APPDATA>\Google\ijdkq13324484.exe","flagifnofile=1"
AutoRun:"HPseti","<$APPDATA>\Google\xtgoj6119471.exe","flagifnofile=1"
AutoRun:"HPseti","<$APPDATA>\Google\runhh6110411.exe","flagifnofile=1"
AutoRun:"HPseti","<$APPDATA>\Google\ijdkq13324484.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","winhpdrv"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HPseti"
//File:"<$FILE_EXE>",""C:\Documents and Settings\XXX\Application Data\Google\xtgoj6119471.exe"
File:"<$FILE_EXE>","<$APPDATA>\Google\xtgoj6119471.exe"
File:"<$FILE_EXE>","<$APPDATA>\Google\runhh6110411.exe"
File:"<$FILE_EXE>","<$APPDATA>\Google\ijdkq13324484.exe"
// Rogue.SpywareGuard2008:
//HKEY_CURRENT_USER\SOFTWARE\Spyware Guard 2008
// Rogue.SystemGuard2009:
//AutoRun:"10394214","C:\Documents and Settings\All Users\Application Data\10394214\10394214.exe","flagifnofile=1"
AutoRun:"10394214","<$COMMONAPPDATA>\10394214\10394214.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","10394214"
//File:"<$FILE_EXE>","C:\Documents and Settings\All Users\Application Data\10394214\10394214.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\10394214\10394214.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\10394214"
// Rogue.WindowsProtectionSuite:
//Sternchen * steht für 345d567
//AutoRun:"Windows Protection Suite",""C:\Documents and Settings\All Users\Application Data\345d567\WI345d.exe" /s /d","flagifnofile=1"
AutoRun:"Windows Protection Suite","<$COMMONAPPDATA>\*\WI345d.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Protection Suite"
//File:"<$FILE_EXE>",""C:\Documents and Settings\All Users\Application Data\345d567\WI345d.exe" /s /d"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\*\WI345d.exe"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\*\285.mof"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\*\mozcrt19.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\*\sqlite3.dll"
File:"<$FILE_PICTURE>","<$COMMONAPPDATA>\*\WINPS.ico"
File:"<$FILE_TEXT>","<$COMMONAPPDATA>\*\working.log"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\*\WINSPSys\vd952342.bd"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\WINSPSys\winps.cfg"
File:"<$FILE_LINK>","<$QUICKLAUNCH>\Windows Protection Suite.lnk"
File:"<$FILE_CONFIGURATION>","<$APPDATA>\Windows Protection Suite\Instructions.ini"
File:"<$FILE_LINK>","<$DESKTOP>\Windows Protection Suite.lnk"
File:"<$FILE_SERVICE>","<$PROFILE>\Recent\cb.sys"
File:"<$FILE_LIBRARY>","<$PROFILE>\Recent\cid.dll"
File:"<$FILE_TEMP>","<$PROFILE>\Recent\cid.tmp"
File:"<$FILE_LIBRARY>","<$PROFILE>\Recent\CLSV.dll"
File:"<$FILE_TEMP>","<$PROFILE>\Recent\CLSV.tmp"
File:"<$FILE_SERVICE>","<$PROFILE>\Recent\DBOLE.sys"
File:"<$FILE_LIBRARY>","<$PROFILE>\Recent\ddv.dll"
File:"<$FILE_SERVICE>","<$PROFILE>\Recent\eb.sys"
File:"<$FILE_TEMP>","<$PROFILE>\Recent\eb.tmp"
File:"<$FILE_DATA>","<$PROFILE>\Recent\energy.drv"
File:"<$FILE_SERVICE>","<$PROFILE>\Recent\energy.sys"
File:"<$FILE_TEMP>","<$PROFILE>\Recent\exec.tmp"
File:"<$FILE_DATA>","<$PROFILE>\Recent\kernel32.drv"
File:"<$FILE_DATA>","<$PROFILE>\Recent\PE.drv"
File:"<$FILE_TEMP>","<$PROFILE>\Recent\PE.tmp"
File:"<$FILE_EXE>","<$PROFILE>\Recent\ppal.exe"
File:"<$FILE_DATA>","<$PROFILE>\Recent\runddlkey.drv"
File:"<$FILE_SERVICE>","<$PROFILE>\Recent\snl2w.sys"
File:"<$FILE_LIBRARY>","<$PROFILE>\Recent\tempdoc.dll"
File:"<$FILE_LINK>","<$STARTMENU>\Windows Protection Suite.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Windows Protection Suite.lnk"
File:"<$FILE_DATA>","<$PROGRAMFILES>\Mozilla Firefox\searchplugins\search.xml"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\ADWARE_LOG"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\*\WINSPSys"
//Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\345d567"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\*","filename=WI345d.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\WINSPSys"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Windows Protection Suite\cookies.sqlite"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Windows Protection Suite"
//Die folgenden Regeln sind mit vorsicht zu genießen; nicht, dass wieder ein FP dabei rauskommt :-)
//HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
//HKEY_CLASSES_ROOT\WI345d.DocHostUIHandler
RegyKey:"<$REG_SETTINGS>",HKEY_CLASSES_ROOT,"\","WI345d.DocHostUIHandler"
//HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://search-gala.com/?%26uid=7%26q={searchTerms}"
//HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "9877034603"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\","Post Platform "9877034603""
// Suspicious(1):
//AutoRun:"Security Gateway","C:\Windows\system32\mslsgw.exe","flagifnofile=1"
AutoRun:"Security Gateway","<$SYSDIR>\mslsgw.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Security Gateway"
File:"<$FILE_EXE>","<$SYSDIR>\mslsgw.exe"
// Suspicious(2):
Winsock:"<lsptte.dll>","0"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lsptte.dll"
// Suspicious(3)
//O1 - Hosts: 74.125.45.100 test1111.com
//O1 - Hosts: 74.125.45.100 test1112.com
//O1 - Hosts: 74.125.45.100 4-open-davinci.com
//O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
//O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
//O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
//O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
//O1 - Hosts: 74.125.45.100 secure-plus-payments.com
//O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
//O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
//O1 - Hosts: 74.125.45.100 www.getavplusnow.com
//O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
//O1 - Hosts: 89.248.168.188 google.ae
//O1 - Hosts: 89.248.168.188 google.as
//O1 - Hosts: 89.248.168.188 google.at
//O1 - Hosts: 89.248.168.188 google.az
//O1 - Hosts: 89.248.168.188 google.ba
//O1 - Hosts: 89.248.168.188 google.be
//O1 - Hosts: 89.248.168.188 google.bg
//O1 - Hosts: 89.248.168.188 google.bs
//O1 - Hosts: 89.248.168.188 google.ca
//O1 - Hosts: 89.248.168.188 google.cd
//O1 - Hosts: 89.248.168.188 google.com.gh
//O1 - Hosts: 89.248.168.188 google.com.hk
//O1 - Hosts: 89.248.168.188 google.com.jm
//O1 - Hosts: 89.248.168.188 google.com.mx
//O1 - Hosts: 89.248.168.188 google.com.my
//O1 - Hosts: 89.248.168.188 google.com.na
//O1 - Hosts: 89.248.168.188 google.com.nf
//O1 - Hosts: 89.248.168.188 google.com.ng
//O1 - Hosts: 89.248.168.188 google.ch
//O1 - Hosts: 89.248.168.188 google.com.np
//O1 - Hosts: 89.248.168.188 google.com.pr
//O1 - Hosts: 89.248.168.188 google.com.qa
//O1 - Hosts: 89.248.168.188 google.com.sg
//O1 - Hosts: 89.248.168.188 google.com.tj
//O1 - Hosts: 89.248.168.188 google.com.tw
//O1 - Hosts: 89.248.168.188 google.dj
//O1 - Hosts: 89.248.168.188 google.de
//O1 - Hosts: 89.248.168.188 google.dk
//O1 - Hosts: 89.248.168.188 google.dm
//O1 - Hosts: 89.248.168.188 google.ee
//O1 - Hosts: 89.248.168.188 google.fi
//O1 - Hosts: 89.248.168.188 google.fm
//O1 - Hosts: 89.248.168.188 google.fr
//O1 - Hosts: 89.248.168.188 google.ge
//O1 - Hosts: 89.248.168.188 google.gg
//O1 - Hosts: 89.248.168.188 google.gm
//O1 - Hosts: 89.248.168.188 google.gr
//O1 - Hosts: 89.248.168.188 google.ht
//O1 - Hosts: 89.248.168.188 google.ie
//O1 - Hosts: 89.248.168.188 google.im
//O1 - Hosts: 89.248.168.188 google.in
//O1 - Hosts: 89.248.168.188 google.it
//O1 - Hosts: 89.248.168.188 google.ki
//O1 - Hosts: 89.248.168.188 google.la
//O1 - Hosts: 89.248.168.188 google.li
//O1 - Hosts: 89.248.168.188 google.lv
//O1 - Hosts: 89.248.168.188 google.ma
//O1 - Hosts: 89.248.168.188 google.ms
//O1 - Hosts: 89.248.168.188 google.mu
//O1 - Hosts: 89.248.168.188 google.mw
//O1 - Hosts: 89.248.168.188 google.nl
//O1 - Hosts: 89.248.168.188 google.no
//O1 - Hosts: 89.248.168.188 google.nr
//O1 - Hosts: 89.248.168.188 google.nu
//O1 - Hosts: 89.248.168.188 google.pl
//O1 - Hosts: 89.248.168.188 google.pn
//O1 - Hosts: 89.248.168.188 google.pt
//O1 - Hosts: 89.248.168.188 google.ro
//O1 - Hosts: 89.248.168.188 google.ru
//O1 - Hosts: 89.248.168.188 google.rw
//O1 - Hosts: 89.248.168.188 google.sc
//O1 - Hosts: 89.248.168.188 google.se
//O1 - Hosts: 89.248.168.188 google.sh
//O1 - Hosts: 89.248.168.188 google.si
//O1 - Hosts: 89.248.168.188 google.sm
//O1 - Hosts: 89.248.168.188 google.sn
//O1 - Hosts: 89.248.168.188 google.st
//O1 - Hosts: 89.248.168.188 google.tl
//O1 - Hosts: 89.248.168.188 google.tm
//O1 - Hosts: 89.248.168.188 google.tt
//O1 - Hosts: 89.248.168.188 google.us
//O1 - Hosts: 89.248.168.188 google.vu
//O1 - Hosts: 89.248.168.188 google.ws
//O1 - Hosts: 89.248.168.188 google.co.ck
//O1 - Hosts: 89.248.168.188 google.co.id
//O1 - Hosts: 89.248.168.188 google.co.il
//O1 - Hosts: 89.248.168.188 google.co.in
//O1 - Hosts: 89.248.168.188 google.co.jp
//O1 - Hosts: 89.248.168.188 google.co.kr
//O1 - Hosts: 89.248.168.188 google.co.ls
//O1 - Hosts: 89.248.168.188 google.co.ma
//O1 - Hosts: 89.248.168.188 google.co.nz
//O1 - Hosts: 89.248.168.188 google.co.tz
//O1 - Hosts: 89.248.168.188 google.co.ug
//O1 - Hosts: 89.248.168.188 google.co.uk
//O1 - Hosts: 89.248.168.188 google.co.za
//O1 - Hosts: 89.248.168.188 google.co.zm
//O1 - Hosts: 89.248.168.188 google.com
//O1 - Hosts: 89.248.168.188 google.com.af
// Suspicious(4):
//O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
//O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
//O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
//O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
//O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
//O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
//O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
//O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
//O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
//O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
//O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
//O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
//O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
//O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
//O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
//O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
//O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
//O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
//O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
//O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
//O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
//O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
//O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
//O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
//O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
//O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
// Suspicious(5):
//O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
//O1 - Hosts: 91.212.65.122 spyware-protector-2009.com
//O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com
//O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com
//O1 - Hosts: 91.212.65.122 knocker
// Trojan.Agent:
//AutoRun:"MicrosoftUpdate","C:\Documents and Settings\XXX\Application Data\taskeng.exe","flagifnofile=1"
AutoRun:"MicrosoftUpdate","<$APPDATA>\taskeng.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MicrosoftUpdate"
//File:"<$FILE_EXE>","C:\Documents and Settings\XXX\Application Data\taskeng.exe"
File:"<$FILE_EXE>","<$APPDATA>\taskeng.exe"
// Trojan.Ambler:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{aff01325-0fc2-4749-8914-fbf0565ad9cc}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{aff01325-0fc2-4749-8914-fbf0565ad9cc}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{56bb6d01-7bd5-4458-a4ae-f03df643d6ee}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{56bb6d01-7bd5-4458-a4ae-f03df643d6ee}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{DB3C772E-16F4-40e7-AAF2-5DEBA1354917}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{DB3C772E-16F4-40e7-AAF2-5DEBA1354917}"
BrowserHelperEx:"Chrome copyright","filename=jbnmc?.dll"
BrowserHelperEx:"Microsoft copyright","filename=stfa.dll"
BrowserHelperEx:"Microsoft copyright","filename=smstf.dll"
BrowserHelperEx:"Microsoft copyright","filename=gmstof.dll"
BrowserHelperEx:"Microsoft copyright","filename=gofax.dll"
BrowserHelperEx:"MSN helper","filename=muitef.dll"
//File:"<$FILE_LIBRARY>","<$SYSDIR>\jbnmck.dll"
//File:"<$FILE_LIBRARY>","<$SYSDIR>\jbnmcd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jbnmc?.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\stfa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\smstf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gmstof.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gofax.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muitef.dll"
// Trojan.Backdoor.Agent:
AutoRun:"ttool","<$WINDIR>\9129837.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ttool"
File:"<$FILE_EXE>","<$WINDIR>\9129837.exe"
// Trojan.Clicker:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}"
BrowserHelperEx:"Microsoft copyright","filename=jhxm32.dll"
BrowserHelperEx:"Microsoft copyright","filename=lklf32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jhxm32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lklf32.dll"
// Trojan.Downloader:
ProtocolFilter:"text/html","{9d73f604-38c1-469e-a223-cd0625fa372f}"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\Protocols\Filter\","text/html","CLSID={9d73f604-38c1-469e-a223-cd0625fa372f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xwreg32.dll"
//CLSID zufällig, Dateiname fest; daher hier mein erster Versuch, ähnlich wie bei BrowserHelperEx :-)
ProtocolFilter:"text/html","*","filename=xwreg32.dll"
// Trojan.TDSS.Rootkit:
//Aus einem logfile von ComboFix:
//c:\windows\system32\drivers\gxvxclmejdvjipuloemxoicocvpppumpkcjgy.sys
//c:\windows\system32\gxvxcasrmyejuhtxxyakxnalenpsditeucauo.dll
//c:\windows\system32\gxvxccounter
// Trojan.Unknown(1)
//AutoRun:"ALi5289","C:\Program Files\ULI5289\ALi5289.exe","flagifnofile=1"
AutoRun:"ALi5289","<$PROGRAMFILES>\*\ALi5289.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ALi5289"
//File:"<$FILE_EXE>","C:\Program Files\ULI5289\ALi5289.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\*\ALi5289.exe"
//Directory:"<$DIR_PROG>","<$PROGRAMFILES>\ULI5289"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\*","filename=ALi5289.exe"
//AutoRun:"74BE16","C:\WINDOWS\system32\ACF7EF\74BE16.EXE ","flagifnofile=1"
AutoRun:"74BE16","<$SYSDIR>\*\74BE16.EXE ","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","74BE16"
//File:"<$FILE_EXE>","C:\WINDOWS\system32\ACF7EF\74BE16.EXE"
File:"<$FILE_EXE>","<$SYSDIR>\*\74BE16.EXE"
//Directory:"<$DIR_PROG>","<$PROGRAMFILES>\ACF7EF"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\*","filename=74BE16.EXE"
// Trojan.Unknown(2):
//Die letzten vier buchstaben sind zufällig
//AutoRun:"nah_Shell","C:\Documents and Settings\Adrian\nah_fban.exe","flagifnofile=1"
AutoRun:"nah_Shell","<$PROFILE>\nah_????.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","nah_Shell"
//File:"<$FILE_EXE>","C:\Documents and Settings\Adrian\nah_fban.exe"
File:"<$FILE_EXE>","<$PROFILE>\nah_????.exe"
// Trojan.Unknown(3):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","perfmons","ImagePath=<$SYSDIR>\perfs.exe"
File:"<$FILE_EXE>","<$SYSDIR>\perfs.exe"
// Trojan.Unknown(4):
//O4 - Startup: legupd32.exe
//C:\Documents and Settings\Users\Start Menu\Programs\Startup\
File:"<$FILE_EXE>","<$STARTUP>\legupd32.exe"
File:"<$FILE_EXE>","<$COMMONSTARTUP>\legupd32.exe"
// Trojan.Virtumonde:
//BrowserHelperEx:"(no name)","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6d0fd82e-b0e6-6845-e447-4a5d20904a48}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6d0fd82e-b0e6-6845-e447-4a5d20904a48}"
BrowserHelperEx:"*","filename=emuxipab.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\emuxipab.dll"
//BrowserHelperEx:"(no name)","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{BCDEBE74-F975-4FEE-B2FC-FFB4917BB8D3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{BCDEBE74-F975-4FEE-B2FC-FFB4917BB8D3}"
BrowserHelperEx:"*","filename=czzkdvf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\czzkdvf.dll"
//BrowserHelperEx:"(no name)","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0FAF4891-E95D-4C03-A388-A14C5C305759}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0FAF4891-E95D-4C03-A388-A14C5C305759}"
BrowserHelperEx:"*","filename=wvUkiFUO.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wvUkiFUO.dll"
//BrowserHelperEx:"(no name)","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4e3123ed-e4fe-48fc-8282-12e87e24e4c5}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4e3123ed-e4fe-48fc-8282-12e87e24e4c5}"
BrowserHelperEx:"*","filename=matiberi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\matiberi.dll"
//AutoRun:"CPM0b647c73","Rundll32.exe "c:\windows\system32\sizumeju.dll",a","flagifnofile=1"
AutoRun:"CPM*","<$SYSDIR>\sizumeju.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM0b647c73"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sizumeju.dll"
//AutoRun:"08574fef","rundll32.exe "C:\WINDOWS\system32\neyikine.dll",b","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\neyikine.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","08574fef"
File:"<$FILE_LIBRARY>","<$SYSDIR>\neyikine.dll"
//AutoRun:"Grugarive","rundll32.exe "C:\WINDOWS\emuxipab.dll",e","flagifnofile=1"
AutoRun:"*","<$WINDIR>\emuxipab.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Grugarive"
File:"<$FILE_LIBRARY>","<$WINDIR>\emuxipab.dll"
//AutoRun:"CPM3b472655","Rundll32.exe "c:\winnt\system32\bobebeji.dll",a","flagifnofile=1"
AutoRun:"CPM*","<$SYSDIR>\bobebeji.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM3b472655"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bobebeji.dll"
//AutoRun:"yaripuwafa","Rundll32.exe "C:\WINNT\system32\biheseya.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\biheseya.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","yaripuwafa"
File:"<$FILE_LIBRARY>","<$SYSDIR>\biheseya.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\cryptui32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dsauth32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\C_G1803032.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dsound32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\d3d1032.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dsquery32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\d3d8thk32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dswave32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\d3dim32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dtsh32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\davclnt32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dxmasf32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dbghelp32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dplayx32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\EncDec32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\crtdll32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\DHCPQEC32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dpnet32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\cic32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\cryptnet32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dinput832.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dmdlgs32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dxmasf3232.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\fltLib32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\deskperf32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dmscript32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dxva232.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\FM20ENU32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\DevicePairingProxy32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\harunano.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","oahnwx.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sizumeju.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\jevasowa.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","yvxpzs.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bobebeji.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\binosino.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\winuid.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cryptui32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dsauth32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\C_G1803032.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dsound32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3d1032.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dsquery32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3d8thk32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dswave32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3dim32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dtsh32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\davclnt32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dxmasf32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dbghelp32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dplayx32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\EncDec32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\crtdll32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\DHCPQEC32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpnet32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cic32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cryptnet32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dinput832.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmdlgs32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dxmasf3232.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fltLib32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\deskperf32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmscript32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dxva232.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\FM20ENU32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\DevicePairingProxy32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\harunano.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\oahnwx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sizumeju.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jevasowa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yvxpzs.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bobebeji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\binosino.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winuid.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","mmdsryvc","DllName=<$SYSDIR>\czzkdvf.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","iifDvVlm","DllName=iifDvVlm.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ljJCtUkj","DllName=ljJCtUkj.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\czzkdvf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iifDvVlm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ljJCtUkj.dll"
// Worm.SDBOT:
AutoRun:"winupdate.exe","<$SYSDIR>\winupdate.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winupdate.exe"
File:"<$FILE_EXE>","<$SYSDIR>\winupdate.exe"
// Worm.VB:
AutoRun:"svhost","<$SYSDIR>\svhost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","svhost"
File:"<$FILE_EXE>","<$SYSDIR>\svhost.exe"
New Malware v22
Reply With Quote