Code:
:: New Malware v24
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-08-26}
// Adware.Accoona:
BrowserHelperEx:"Accoona Search Assistant","filename=ASearchAssist.dll"
BrowserHelperEx:"ADefaultSearch Class","filename=ASearchAssist.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{944864A5-3916-46E2-96A9-A2E84F3F1208}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{944864A5-3916-46E2-96A9-A2E84F3F1208}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Accoona\ASearchAssist.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Accoona"
// Adware.CouponBar:
BrowserHelperEx:"CouponBar","filename=CouponBarIE.dll"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{5BED3930-2E9E-76D8-BACC-80DF2188D455}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5BED3930-2E9E-76D8-BACC-80DF2188D455}"
File:"<$FILE_LIBRARY>","<$WINDIR>\CouponBarIE.dll"
// Adware.Zango:
BrowserHelperEx:"Zango",
//BrowserHelperEx:"Zango /fleok=1D8A83A5C2E5137C9EA96A2A1FBB39BFE4976E26CAED A120180A196D6093","flagfile=1"
BrowserHelperEx:"Zango fleok=*",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{07AA283A-43D7-4CBE-A064-32A21112D94D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{07AA283A-43D7-4CBE-A064-32A21112D94D}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{07AA283A-43D7-4CBE-A064-32A21112D94D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{07AA283A-43D7-4CBE-A064-32A21112D94D}"
// Hijacker.Unknown:
//CLSID zufällig
ProtocolFilter:"text/html","{8dc57e42-d33f-4a93-ad3c-18c6c2ff0eb4}"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\Protocols\Filter\","text/html","CLSID={8dc57e42-d33f-4a93-ad3c-18c6c2ff0eb4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mst122.dll"
// Malware.Fraud.AntivirusPro:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AntipPro2009_100","ImagePath=<$WINDIR>\svchast.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AntipPro2009_100","DisplayName=AntipyProex"
File:"<$FILE_SERVICE>","<$WINDIR>\svchast.exe"
// Malware.Fraud.PersonalAntivirus:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A77D3539-581D-450C-9E44-A84C415A6172}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A77D3539-581D-450C-9E44-A84C415A6172}"
BrowserHelperEx:"%26Helper","filename=msxmlm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msxmlm.dll"
// Malware.Fraud.WindowsAntivirusPro:
BrowserHelperEx:"ICQSys (IE PlugIn)","filename=dddesot.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{76DC0B63-1533-4ba9-8BE8-D59EB676FA02}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{76DC0B63-1533-4ba9-8BE8-D59EB676FA02}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dddesot.dll"
// Malware.Lop:
//Aufgrund meines Trainings bei WTT weiß ich, dass es sich hierbei und bei allen bisherigen Einträgen von mir, die ähnlich waren (siehe frühere sbi Dateien von mir), um Lop handelt
//AutoRun:"upload curb default new","C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lies shim upload curb\junk pop.exe","flagifnofile=1"
AutoRun:"upload curb default new","<$COMMONAPPDATA>\Lies shim upload curb\junk pop.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","upload curb default new"
//File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lies shim upload curb\junk pop.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\Lies shim upload curb\junk pop.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\Lies shim upload curb"
//AutoRun:"close owns","C:\DOKUME~1\Ice\ANWEND~1\THEPRO~1\MORESTUPID.exe","flagifnofile=1"
AutoRun:"close owns","<$APPDATA>\THEPRO*\MORESTUPID.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","close owns"
//File:"<$FILE_EXE>","C:\DOKUME~1\Ice\ANWEND~1\THEPRO~1\MORESTUPID.exe"
File:"<$FILE_EXE>","<$APPDATA>\THEPRO*\MORESTUPID.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\THEPRO*"
// PUPS.MyWebSearch.MyGlobalSearch:
BrowserHelperEx:"My Global Search Bar BHO","filename=MGSBAR.DLL"
BrowserHelperEx:"My Global Search Bar","filename=MGSBAR.DLL"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{37B85A21-692B-4205-9CAD-2626E4993404}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{37B85A21-692B-4205-9CAD-2626E4993404}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{37B85A29-692B-4205-9CAD-2626E4993404}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\MyGlobalSearch\bar\1.bin\MGSBAR.DLL"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MyGlobalSearch\bar\1.bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MyGlobalSearch\bar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MyGlobalSearch"
// Spyware.AttuneHelpExpress:
//Sternchen * steht für einen beliebigen Benutzernamen
//AutoRun:"HXIUL.EXE","C:\Program Files\Alset\HelpExpress\Robert\HXIUL.EXE","flagifnofile=1"
AutoRun:"HXIUL.EXE","<$PROGRAMFILES>\Alset\HelpExpress\*\HXIUL.EXE","flagifnofile=1"
//AutoRun:"HELPEXP.EXE","C:\Program Files\Alset\HelpExpress\Robert\Client\HelpExp.exe","flagifnofile=1"
AutoRun:"HELPEXP.EXE","<$PROGRAMFILES>\Alset\HelpExpress\Robert\Client\HelpExp.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HXIUL.EXE"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HELPEXP.EXE"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Alset\HelpExpress\*\HXIUL.EXE"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Alset\HelpExpress\*\Client\HelpExp.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Alset\HelpExpress\*\Client"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Alset\HelpExpress\*","filename=HXIUL.EXE"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Alset\HelpExpress"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Alset"
// Suspicious(1):
//BrowserHelperEx:"(no name)","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{12345678-9abc-def0-0fed-cba987654321}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{12345678-9abc-def0-0fed-cba987654321}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msplugin0000.dll"
// Suspicious(2):
AutoRun:"LVEU Agent","<$SYSDIR>\28463\LVEU.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","LVEU Agent"
File:"<$FILE_EXE>","<$SYSDIR>\28463\LVEU.exe"
// Suspicious(3):
//AutoRun:"WAB","C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\Macromedia\Common\b9e340061 9.exe","flagifnofile=1"
AutoRun:"WAB","<$APPDATA>\Macromedia\Common\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WAB"
//File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\Macromedia\Common\b9e340061 9.exe"
File:"<$FILE_EXE>","<$APPDATA>\Macromedia\Common\b9e340061 9.exe"
// Suspicious(4):
//AutoRun:"hpzku",""c:\users\bocajunior\appdata\local\hpzku.exe" hpzku","flagifnofile=1"
AutoRun:"hpzku","<$LOCALAPPDATA>\hpzku.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hpzku"
//File:"<$FILE_EXE>",""c:\users\bocajunior\appdata\local\hpzku.exe" hpzku"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\hpzku.exe"
// Suspicious(5):
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","Pnpadcrt","Pnpadcrt={5D9F1164-9292-4803-8696-20761DEFB39F}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\imepo3d.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","sFuDr","sFuDr={78F6540E-D25C-FEA4-64ED-0F7C86112CD9}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hzet.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","ClhordeiAtk","ClhordeiAtk={5F94FD38-1F4E-465F-92BA-AD15D8B066A3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\clhordei.dll"
// Trojan.Agent:
AutoRun:"wshost32","<$SYSDIR>\wshost32.exe","flagifnofile=1"
AutoRun:"WinSys2","<$SYSDIR>\winsys2.exe","flagifnofile=1"
AutoRun:"809","<$SYSDIR>\809.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wshost32"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinSys2"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","809"
File:"<$FILE_EXE>","<$SYSDIR>\wshost32.exe"
File:"<$FILE_EXE>","<$SYSDIR>\winsys2.exe"
File:"<$FILE_EXE>","<$SYSDIR>\809.exe"
ProtocolFilter:"text/html","{8fcc689c-5c11-460c-9102-f5370263c17d}"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\Protocols\Filter\","text/html","CLSID={8fcc689c-5c11-460c-9102-f5370263c17d}"
File:"<$FILE_LIBRARY>","<$WINDIR>\mark_32.dll"
// Trojan.Autorun:
AutoRun:"Microsoft Driver Setup","<$WINDIR>\msdrive32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Driver Setup"
File:"<$FILE_EXE>","<$WINDIR>\msdrive32.exe"
// Trojan.Backdoor.UltimateDefender:
//O4 - Startup: ikowin32.exe
// Trojan.Buzus:
//AutoRun:"cdoosoft","C:\DOKUME~1\aku\LOKALE~1\Temp\herss.exe","flagifnofile=1"
AutoRun:"cdoosoft","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","cdoosoft"
//File:"<$FILE_EXE>","C:\DOKUME~1\aku\LOKALE~1\Temp\herss.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\herss.exe"
// Trojan.Crypt:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","BNDMSS","ImagePath=<$SYSDIR>\bndmss.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","BNDMSS","DisplayName=Windows Network Data Management System Service"
File:"<$FILE_SERVICE>","<$SYSDIR>\bndmss.exe"
// Trojan.Ertfor:
//Nicht wieder als Virtumonde deklarieren (wofür habt ihr denn sonst Ertfor angelegt?)! ;-)
BrowserHelperEx:"<$SYSDIR>\hs7f3uhduhfukde.dll",
BrowserHelperEx:"<$SYSDIR>\tajf83ikdmf.dll",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{bd56a320-23f2-42ad-f4e4-00aac39caa53}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{bd56a320-23f2-42ad-f4e4-00aac39caa53}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{bf56a325-23f2-42ad-f4e4-00aac39caa53}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{bf56a325-23f2-42ad-f4e4-00aac39caa53}"
BrowserHelperEx:"*","filename=hs7f3uhduhfukde.dll"
BrowserHelperEx:"*","filename=tajf83ikdmf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hs7f3uhduhfukde.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tajf83ikdmf.dll"
//AutoRun:"","C:\WINDOWS\system32\.exe","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\.exe","flagifnofile=0"
//RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\",""
File:"<$FILE_EXE>","<$SYSDIR>\.exe"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","ghya673gidh87we9inkff","ghya673gidh87we9inkff={BF56A325-23F2-42AD-F4E4-00AAC39CAA53}"
//File:"<$FILE_LIBRARY>","C:\WINDOWS\system32\tajf83ikdmf.dll"
// Trojan.Knockit:
//Aufgrund des Namens sollte jede exe erwischt werden
//AutoRun:"WMDM PMSP Service","C:\WINDOWS\system32\cssrss.exe","flagifnofile=1"
AutoRun:"WMDM PMSP Service","<$SYSDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WMDM PMSP Service"
File:"<$FILE_EXE>","<$SYSDIR>\cssrss.exe"
// Trojan.Monopod:
//AutoRun:"Monopod","C:\DOKUME~1\******~1\LOKALE~1\Temp\6D.tmp.exe","flagifnofile=1"
AutoRun:"Monopod","<$LOCALSETTINGS>\Temp\*.tmp.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Monopod"
//File:"<$FILE_EXE>","C:\DOKUME~1\******~1\LOKALE~1\Temp\6D.tmp.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\6D.tmp.exe"
//AutoRun:"Monopod","C:\DOKUME~1\Dominik\LOKALE~1\Temp\h.exe","flagifnofile=1"
AutoRun:"Monopod","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Monopod"
//File:"<$FILE_EXE>","C:\DOKUME~1\Dominik\LOKALE~1\Temp\h.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\h.exe"
// Trojan.PWS.Onlinegames:
//AutoRun:"kamsoft","<$SYSDIR>\ckvo.exe","flagifnofile=1"
AutoRun:"kamsoft","<$SYSDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","kamsoft"
File:"<$FILE_EXE>","<$SYSDIR>\ckvo.exe"
//AutoRun:"12CFG914-K641-26SF-N32P","C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe ","flagifnofile=1"
AutoRun:"12CFG914-K641-26SF-N32P","<$SYSDRIVE>\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\*.exe ","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","12CFG914-K641-26SF-N32P"
File:"<$FILE_EXE>","<$SYSDRIVE>\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe"
// Trojan.TDSS.Rootkit:
//Aus einem Logfile von ComboFix:
//e:\windows\system32\drivers\ovfsthdorjnbhuubndyrwengxxppvvjpsdkxpf.sys
//e:\windows\system32\ovfsthfdnygwyovoihlxrekimpeyubxmoriudo.dll
//e:\windows\system32\ovfsthhlvjrudedtikrftciodiuwcmybaaatmd.dll
//e:\windows\system32\ovfsthksqnalcfdxoiuhrieaakjptfyheqgpki.dll
//e:\windows\system32\ovfsthqojebwaabqlnoqspekmsxhmgpuaordbg.dat
//e:\windows\system32\ovfsthvkncbpffsrleioymskuaaswdkmloyvbl.dat
//Folgende Dateien wurden ebenfalls entfernt:
File:"<$FILE_SERVICE>","<$SYSDIR>\drivers\11e44fcc.sys"
File:"<$FILE_SERVICE>","<$SYSDIR>\drivers\a6913720.sys"
File:"<$FILE_SERVICE>","<$SYSDIR>\drivers\fc02dc63.sys"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ubopanet.ini"
File:"<$FILE_DATA>","<$SYSDIR>\uniq.tll"
// Trojan.Unknown:
//AutoRun:"SMrhct1aj0ecft","C:\Program Files\rhct1aj0ecft\rhct1aj0ecft.exe","flagifnofile=1"
AutoRun:"*","<$PROGRAMFILES>\rhct1aj0ecft\rhct1aj0ecft.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SMrhct1aj0ecft"
//File:"<$FILE_EXE>","C:\Program Files\rhct1aj0ecft\rhct1aj0ecft.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\rhct1aj0ecft\rhct1aj0ecft.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\rhct1aj0ecft"
// Trojan.Virtumonde:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9cc3aba8-eb97-4b89-9b47-50c077601ab3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9cc3aba8-eb97-4b89-9b47-50c077601ab3}"
BrowserHelperEx:"*","filename=fokumiro.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fokumiro.dll"
//AutoRun:"rupahizado","Rundll32.exe "C:\WINDOWS\system32\majudohi.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\majudohi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rupahizado"
File:"<$FILE_LIBRARY>","<$SYSDIR>\majudohi.dll"
//AutoRun:"MSServer","rundll32.exe C:\WINDOWS\system32\yayYoMDV.dll,s","flagifnofile=1"
AutoRun:"MSServer","<$SYSDIR>\*.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yayYoMDV.dll"
//AutoRun:"hibirozoye","Rundll32.exe "C:\WINDOWS\system32\muwuhare.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\muwuhare.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","hibirozoye"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muwuhare.dll"
//AutoRun:"CPMabe41b4a","Rundll32.exe "c:\windows\system32\liwifina.dll",a","flagifnofile=1"
AutoRun:"CPM*","<$SYSDIR>\liwifina.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPMabe41b4a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\liwifina.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hnetmonn.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ragehage.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\fokumiro.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pedisasa.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\damiridi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yidusaze.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","knuelo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","cwpyqj.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hnetmonn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ragehage.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fokumiro.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pedisasa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\damiridi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yidusaze.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\knuelo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cwpyqj.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","lzwbyrsk","DllName=lzwbyrsk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lzwbyrsk.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","c00DF1EA","DllName=c00DF1EA.mat"
File:"<$FILE_LIBRARY>","<$SYSDIR>\c00DF1EA.mat"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","TvEvyDexK","TvEvyDexK={28C4DA15-826E-70BF-C07D-0F3A5DF86FDC}"
//Aus einem Logfile von ComboFix:
File:"<$FILE_DATA>","<$SYSDIR>\__c002E8E2.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c0088D2E.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c008F8AF.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00D66A2.dat"
File:"<$FILE_LIBRARY>","<$SYSDIR>\amndndkt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ayyewe.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\BdMmWHQr.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\BdMmWHQr.ini2"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bmcljcoc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bngwccxx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bwumdmuq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bycsuahs.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cexkqtdu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\frlmui.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fwtfxc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gupnqglp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiptprry.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hlfduoqt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hnwknn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iyhyly.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jsbouuwn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ktvovysl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kxvbzr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lgjdvyvc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lgkzif.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lqnrvbhq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mmwmlito.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\mugqyxnp.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\onpotk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pinolsmb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pqjwjqaf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pujrjv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pywzxn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qotckv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rQHWmMdB.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sdlsdhja.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tjpkomcn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tkeozp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uhhiva.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vhjlbz.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vwmmiq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wdlxcv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winsokhy.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xejxvu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yjopkb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zgwilh.dll"
// Trojan.Zbot:
//"NTFile" wegen Rootkiteigenschaften
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Dokum ente und Einstellungen\xxx\hlro.exe \s"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\hlro.exe*"
NTFile:"<$FILE_EXE>","<$PROFILE>\hlro.exe"
// Worm.Realbot:
//AutoRun:"Windows Live","C:\Documents and Settings\User1\Application Data\WindowsLive.exe","flagifnofile=1"
AutoRun:"Windows Live","<$APPDATA>\WindowsLive.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Live"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Live"
//File:"<$FILE_EXE>","C:\Documents and Settings\User1\Application Data\WindowsLive.exe"
File:"<$FILE_EXE>","<$APPDATA>\WindowsLive.exe"
New Malware v24
Reply With Quote