Code:
:: New Malware v25
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-09-03}
// Adware.SurfSideKick:
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","dxclib303562752.dll"
//File:"<$FILE_WEBPAGE>","dxclib303562752.dll"
// Dialer.AdultContent:
// Hat mir OpenSBI nicht übernommen
// O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q666777.exe
File:"<$FILE_EXE>","<$PROGRAMFILES>\Q666777.exe"
// Malware.Fraud.Antivirus2009:
// AutoRun:"68385398260456229412632071647692","C:\Program Files\Antivirus 2009\av2009.exe","flagifnofile=1"
AutoRun:"*","<$PROGRAMFILES>\Antivirus 2009\av2009.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","68385398260456229412632071647692"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Antivirus 2009\av2009.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Antivirus 2009"
// Malware.Fraud.SafetyCenter:
// ~ ist bewusst so gewählt
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{EB09B56A-91AB-11DE-95FD-A39056D89593}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{EB09B56A-91AB-11DE-95FD-A39056D89593}"
File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\~??.dll"
// Malware.Fraud.SystemCop:
// AutoRun:"SystemCop","C:\Program Files\SystemCop Software\SystemCop\SystemCop.exe -min","flagifnofile=1"
AutoRun:"SystemCop","<$PROGRAMFILES>\SystemCop Software\SystemCop\SystemCop.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SystemCop"
// File:"<$FILE_EXE>","C:\Program Files\SystemCop Software\SystemCop\SystemCop.exe -min"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SystemCop Software\SystemCop\SystemCop.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SystemCop Software\SystemCop"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SystemCop Software"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SystemCopSvc","ImagePath=<$PROGRAMFILES>\SystemCop Software\SystemCop\SystemCopSvc.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SystemCopSvc","DisplayName=SystemCop Security Service"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SystemCop Software\SystemCop\SystemCopSvc.exe"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\SystemCop Software\SystemCop\license.txt"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SystemCop Software\SystemCop\SystemCop.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SystemCop Software\SystemCop\uninstall.exe"
File:"<$FILE_DATA>","<$WINDIR>\102z6w59m3c4.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\1044zhackt9ol5b2.dll"
File:"<$FILE_DATA>","<$WINDIR>\10683v9rzs656.cpl"
File:"<$FILE_DATA>","<$WINDIR>\10915hief309z.cpl"
File:"<$FILE_DESKTOPLINK>","<$COMMONDESKTOP>\SystemCop.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SystemCop\1 SystemCop.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SystemCop\2 Homepage.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SystemCop\3 Uninstall.lnk"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\SystemCop"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SystemCop Software\SystemCop"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SystemCop Software"
// HKEY_CURRENT_USER\Software\SystemCop
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","SystemCop"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemCop
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall","SystemCop"
// HKEY_LOCAL_MACHINE\SOFTWARE\SystemCop
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","SystemCop"
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEMCOPSVC
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Enum\Root","LEGACY_SYSTEMCOPSVC"
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemCopSvc
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Services","SystemCopSvc"
// Malware.Fraud.TotalSecurity:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}"
BrowserHelperEx:"%26IE Help","filename=iehelpmod.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iehelpmod.dll"
// Malware.Fraud.WindowsPolicePro:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{76DC0B63-1533-4ba9-8BE8-D59EB676FA02}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{76DC0B63-1533-4ba9-8BE8-D59EB676FA02}"
BrowserHelperEx:"ICQSys (IE PlugIn)","filename=dddesot.dll"
AutoRun:"minix32","<$SYSDIR>\minix32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","minix32"
File:"<$FILE_EXE>","<$SYSDIR>\minix32.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dddesot.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AntipPro2009_100","ImagePath=<$WINDIR>\svchasts.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AntipPro2009_100","DisplayName=AntipyProex"
File:"<$FILE_EXE>","<$WINDIR>\svchasts.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Windows Police Pro\ANTI_files.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Windows Police Pro\svcm80.dll","ignore=2"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Windows Police Pro\msvcp80.dll","ignore=2"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Windows Police Pro\msvcr80.dll","ignore=2"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Windows Police Pro\windows Police Pro.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Windows Police Pro\tmp\dbsinit.exe"
File:"<$FILE_WEBPAGE>","<$PROGRAMFILES>\Windows Police Pro\tmp\wispex.html"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\i?.gif"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\j?.gif"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\jj?.gif"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\l?.gif"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\pix.gif"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\t?.gif"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\up?.gif"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\w??.gif"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\w?.gif"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\w?.jpg"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Windows Police Pro\tmp\images\wt?.gif"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Windows Police Pro\tmp\images"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Windows Police Pro\tmp"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Windows Police Pro"
// Malware.LOP:
// AutoRun:"clock bias","<$COMMONAPPDATA>\Upload6464.2hkgtly","flagifnofile=1"
AutoRun:"clock bias","<$COMMONAPPDATA>\Upload*.*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","clock bias"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\Upload*.*"
// Malware.Smitfraud:
// Aktuelles Spybot konnte folgenden Eintrag nicht löschen, evtl wegen vorhandenem TDSS Rootkit
// AutoRun:"A00F213A323F.exe","C:\DOCUME~1\SKILLF~1\LOCALS~1\Temp\_A00F213A323F.exe","flagifnofile=1"
AutoRun:"A00F213A323F.exe","<$LOCALSETTINGS>\Temp\_A00F213A323F.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","A00F213A323F.exe"
// File:"<$FILE_EXE>","C:\DOCUME~1\SKILLF~1\LOCALS~1\Temp\_A00F213A323F.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\_A00F213A323F.exe"
// Malware.Unknown:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{90DC4F03-A9C6-35C6-9883-E5868BFAE18E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{90DC4F03-A9C6-35C6-9883-E5868BFAE18E}"
// BrowserHelperEx:"D","filename=xwr18478.dll"
BrowserHelperEx:"D","filename=xwr?????.dll"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\xwr18478.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xwr?????.dll"
// PUPS.FastBrowserSearchToolbar:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F0626A63-410B-45E2-99A1-3F2475B2D695}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F0626A63-410B-45E2-99A1-3F2475B2D695}"
BrowserHelperEx:"Search Assistant","filename=BHO.dll"
BrowserHelperEx:"Search Assistant","filename=FBStoolbar.dll"
BrowserHelperEx:"Fast Browser Search Toolbar Helper","filename=FBStoolbar.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\SGPSA\BHO.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\SGPSA\FBStoolbar.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SGPSA"
// PUPS.PandoBar:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{06663B51-0D73-4f9f-BCC5-4AA941470AFD}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{06663B51-0D73-4f9f-BCC5-4AA941470AFD}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4}"
BrowserHelperEx:"Pando Search Assistant BHO","filename=P4SRCHAS.DLL"
BrowserHelperEx:"Pando Toolbar BHO","filename=PANDOBAR.DLL"
BrowserHelperEx:"Pando Toolbar","filename=PANDOBAR.DLL"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\PandoBar\bar\?.bin\PANDOBAR.DLL"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\PandoBar\SrchAstt\?.bin\P4SRCHAS.DLL"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\PandoBar\bar\?.bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\PandoBar\bar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\PandoBar\SrchAstt\?.bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\PandoBar\SrchAstt"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\PandoBar"
// Suspicious(1):
File:"<$FILE_EXE>","<$SYSDIR>\winnt\System.exe"
File:"<$FILE_EXE>","<$SYSDIR>\winnt\cssrs.exe"
// Suspicious(2):
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","f_ai.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\f_ai.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","ALYac_PZSrv","ImagePath=<$SYSDRIVE>\Program.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\Program.exe"
// Suspicious(3):
// O1 - Hosts: 74.206.175.177 nexon.net
// O1 - Hosts: 74.206.175.177 http://www.nexon.net
// O1 - Hosts: 74.206.175.177 maplestory.nexon.net
// O1 - Hosts: 74.206.175.177 maplestory.com
// O1 - Hosts: 74.206.175.177 http://www.maplestory.com
// O1 - Hosts: 65.54.239.80 dp.msnmessenger.skadns.net
// O1 - Hosts: 94.232.248.66 inetavirus.com
// O1 - Hosts: 94.232.248.66 www.inetavirus.com
// O1 - Hosts: 194.165.4.145 eggbank.com
// O1 - Hosts: 69.249.196.166 idenupdate.motorola.com
// O1 - Hosts: 74.125.45.100 4-open-davinci.com
// O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
// O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getavplusnow.com
// O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
// O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
// O1 - Hosts: 74.125.45.100 4-open-davinci.com
// O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
// O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getavplusnow.com
// O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
// O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
// O1 - Hosts: 64.86.17.32 google.ae
// O1 - Hosts: 64.86.17.32 google.as
// O1 - Hosts: 64.86.17.32 google.at
// O1 - Hosts: 64.86.17.32 google.az
// O1 - Hosts: 64.86.17.32 google.ba
// O1 - Hosts: 64.86.17.32 google.be
// O1 - Hosts: 64.86.17.32 google.bg
// O1 - Hosts: 64.86.17.32 google.bs
// O1 - Hosts: 64.86.17.32 google.ca
// O1 - Hosts: 64.86.17.32 google.cd
// O1 - Hosts: 64.86.17.32 google.com.gh
// O1 - Hosts: 64.86.17.32 google.com.hk
// O1 - Hosts: 64.86.17.32 google.com.jm
// O1 - Hosts: 64.86.17.32 google.com.mx
// O1 - Hosts: 64.86.17.32 google.com.my
// O1 - Hosts: 64.86.17.32 google.com.na
// O1 - Hosts: 64.86.17.32 google.com.nf
// O1 - Hosts: 64.86.17.32 google.com.ng
// O1 - Hosts: 64.86.17.32 google.ch
// O1 - Hosts: 64.86.17.32 google.com.np
// O1 - Hosts: 64.86.17.32 google.com.pr
// O1 - Hosts: 64.86.17.32 google.com.qa
// O1 - Hosts: 64.86.17.32 google.com.sg
// O1 - Hosts: 64.86.17.32 google.com.tj
// O1 - Hosts: 64.86.17.32 google.com.tw
// O1 - Hosts: 64.86.17.32 google.dj
// O1 - Hosts: 64.86.17.32 google.de
// O1 - Hosts: 64.86.17.32 google.dk
// O1 - Hosts: 64.86.17.32 google.dm
// O1 - Hosts: 64.86.17.32 google.ee
// O1 - Hosts: 64.86.17.32 google.fi
// O1 - Hosts: 64.86.17.32 google.fm
// O1 - Hosts: 64.86.17.32 google.fr
// O1 - Hosts: 64.86.17.32 google.ge
// O1 - Hosts: 64.86.17.32 google.gg
// O1 - Hosts: 64.86.17.32 google.gm
// O1 - Hosts: 64.86.17.32 google.gr
// O1 - Hosts: 64.86.17.32 google.ht
// O1 - Hosts: 64.86.17.32 google.ie
// O1 - Hosts: 64.86.17.32 google.im
// O1 - Hosts: 64.86.17.32 google.in
// O1 - Hosts: 64.86.17.32 google.it
// O1 - Hosts: 64.86.17.32 google.ki
// O1 - Hosts: 64.86.17.32 google.la
// O1 - Hosts: 64.86.17.32 google.li
// O1 - Hosts: 64.86.17.32 google.lv
// O1 - Hosts: 64.86.17.32 google.ma
// O1 - Hosts: 64.86.17.32 google.ms
// O1 - Hosts: 64.86.17.32 google.mu
// O1 - Hosts: 64.86.17.32 google.mw
// O1 - Hosts: 64.86.17.32 google.nl
// O1 - Hosts: 64.86.17.32 google.no
// O1 - Hosts: 64.86.17.32 google.nr
// O1 - Hosts: 64.86.17.32 google.nu
// O1 - Hosts: 64.86.17.32 google.pl
// O1 - Hosts: 64.86.17.32 google.pn
// O1 - Hosts: 64.86.17.32 google.pt
// O1 - Hosts: 64.86.17.32 google.ro
// O1 - Hosts: 64.86.17.32 google.ru
// O1 - Hosts: 64.86.17.32 google.rw
// O1 - Hosts: 64.86.17.32 google.sc
// O1 - Hosts: 64.86.17.32 google.se
// O1 - Hosts: 64.86.17.32 google.sh
// O1 - Hosts: 64.86.17.32 google.si
// O1 - Hosts: 64.86.17.32 google.sm
// O1 - Hosts: 64.86.17.32 google.sn
// O1 - Hosts: 64.86.17.32 google.st
// O1 - Hosts: 64.86.17.32 google.tl
// O1 - Hosts: 64.86.17.32 google.tm
// O1 - Hosts: 64.86.17.32 google.tt
// O1 - Hosts: 64.86.17.32 google.us
// O1 - Hosts: 64.86.17.32 google.vu
// O1 - Hosts: 64.86.17.32 google.ws
// O1 - Hosts: 64.86.17.32 google.co.ck
// O1 - Hosts: 64.86.17.32 google.co.id
// O1 - Hosts: 64.86.17.32 google.co.il
// O1 - Hosts: 64.86.17.32 google.co.in
// O1 - Hosts: 64.86.17.32 google.co.jp
// O1 - Hosts: 64.86.17.32 google.co.kr
// O1 - Hosts: 64.86.17.32 google.co.ls
// O1 - Hosts: 64.86.17.32 google.co.ma
// O1 - Hosts: 64.86.17.32 google.co.nz
// O1 - Hosts: 64.86.17.32 google.co.tz
// O1 - Hosts: 64.86.17.32 google.co.ug
// O1 - Hosts: 64.86.17.32 google.co.uk
// O1 - Hosts: 64.86.17.32 google.co.za
// O1 - Hosts: 64.86.17.32 google.co.zm
// O1 - Hosts: 64.86.17.32 google.com
// O1 - Hosts: 64.86.17.32 google.com.af
// O1 - Hosts: 64.86.17.32 google.com.ag
// O1 - Hosts: 193.125.23.12 updates.sald.com
// O1 - Hosts: 209.44.111.62 safesystem.microsoft.com
// O1 - Hosts: 209.44.111.62 antiviraprof.com
// O1 - Hosts: 209.44.111.62 http://www.antiviraprof.com
// O1 - Hosts: 91.206.201.8 intsecureprof.microsoft.com
// O1 - Hosts: 91.206.201.8 intsecureprof.com
// O1 - Hosts: 91.206.201.8 www.intsecureprof.com
// O1 - Hosts: 91.212.127.221 viruskill2009.microsoft.com
// O1 - Hosts: 91.212.127.221 viruskill2009.com
// O1 - Hosts: 91.212.127.221 www.viruskill2009.com
// O1 - Hosts: 91.206.201.8 oemantivir.microsoft.com
// O1 - Hosts: 91.206.201.8 oemantivir.com
// O1 - Hosts: 91.206.201.8 www.oemantivir.com
// O1 - Hosts: 209.44.111.57 spydetect.microsoft.com
// O1 - Hosts: 209.44.111.57 antivirwin2009.com
// O1 - Hosts: 209.44.111.57 www.antivirwin2009.com
// Suspicious(4):
// Folgende Ordner und Dateien wurden von ComboFix gelöscht:
// c:\windows\system32\SystemService32
// c:\windows\system32\SystemService32\157.crack.zip.kwd
// c:\windows\system32\SystemService32\158.keygen.zip.kwd
// c:\windows\system32\SystemService32\159.serial.zip.kwd
// c:\windows\system32\SystemService32\160.setup.zip.kwd
// c:\windows\system32\SystemService32\161.music.au.kwd
// c:\windows\system32\SystemService32\162.music.mp3.kwd
// c:\windows\system32\SystemService32\163.music.wma.kwd
// c:\windows\system32\SystemService32\164.music.snd.kwd
// Trojan.Agent(1):
//AutoRun:"edwyupv","C:\WINDOWS\system32\edwyupv.exe \u","flagifnofile=1"
AutoRun:"edwyupv","<$SYSDIR>\edwyupv.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","edwyupv"
File:"<$FILE_EXE>","<$SYSDIR>\edwyupv.exe"
// Trojan.Agent(2):
// AutoRun:"{1AC2C510-A3F1-E78C-3DBF-4023E2395225}","C:\Users\***\AppData\Roaming\winup.exe","flagifnofile=1"
AutoRun:"*","<$APPDATA>\winup.exe","flagifnofile=1"
// AutoRun:"WindowsUpdater","C:\Users\***\AppData\Roaming\winup.exe","flagifnofile=1"
AutoRun:"WindowsUpdater","<$APPDATA>\winup.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","{1AC2C510-A3F1-E78C-3DBF-4023E2395225}"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WindowsUpdater"
File:"<$FILE_EXE>","<$APPDATA>\winup.exe"
// Trojan.Agent(3):
AutoRun:"sys32_nov","<$SYSDIR>\sys32_nov.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sys32_nov"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","sys32_nov"
File:"<$FILE_EXE>","<$SYSDIR>\sys32_nov.exe"
// Trojan.Agent(4):
AutoRun:"internat","<$WINDIR>\internat.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","internat"
File:"<$FILE_EXE>","<$WINDIR>\internat.exe"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","cru629.dat"
File:"<$FILE_DATA>","<$SYSDIR>\cru629.dat"
// Trojan.Agent(5):
AutoRun:"winlogon","<$WINDIR>\winlogon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winlogon"
File:"<$FILE_EXE>","<$WINDIR>\winlogon.exe"
// Trojan.Agent(6):
AutoRun:"avpa","<$SYSDIR>\avpo.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","avpa"
File:"<$FILE_EXE>","<$SYSDIR>\avpo.exe"
// Trojan.Agent(7):
AutoRun:"PromoReg","<$WINDIR>\Temp\_ex-68.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","PromoReg"
File:"<$FILE_EXE>","<$WINDIR>\Temp\_ex-68.exe"
// Hat mir OpenSBI nicht übernommen:
// O18 - Filter hijack: text/html - {18707f23-c389-4cc9-98fa-d2edf4f7d91f} - C:\WINDOWS\system32\mst120.dll
BrowserHelperEx:"*","filename=mst120.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mst120.dll"
// Trojan.Autorun:
AutoRun:"vamsoft","<$SYSDIR>\vamsoft.exe","flagifnofile=1"
AutoRun:"kamsoft","<$SYSDIR>\kamsoft.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","vamsoft"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","kamsoft"
File:"<$FILE_EXE>","<$SYSDIR>\vamsoft.exe"
File:"<$FILE_EXE>","<$SYSDIR>\kamsoft.exe"
// Trojan.Bannker:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{30EDD4CB-8BC1-4f9f-99A6-A6938E9AACE0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{30EDD4CB-8BC1-4f9f-99A6-A6938E9AACE0}"
BrowserHelperEx:"H","filename=crim.dll"
BrowserHelperEx:"H","filename=coq.dll"
BrowserHelperEx:"H","filename=down.dll"
BrowserHelperEx:"H","filename=down?.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\crim.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\coq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\down.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\down?.dll"
// Trojan.Haxdoor:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","modzlib","DllName=modzlib.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\modzlib.dll"
// Trojan.Podnuha.Rootkit:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8B0A691C-B652-4A89-86CD-5A8FE62EBCB0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8B0A691C-B652-4A89-86CD-5A8FE62EBCB0}"
BrowserHelperEx:"*","filename=comrep.dll"
NTFile:"<$FILE_LIBRARY>","<$SYSDIR>\kelaworu.dll"
// Trojan.TDSS.Rootkit(1):
// Aus einem Logfile von GMER
// Service C:\WINDOWS\System32\drivers\dda7731a.sys (*** hidden *** ) [SYSTEM] dda7731a <-- ROOTKIT !!!
// Service C:\WINDOWS\system32\drivers\kbiwkmqowtskqw.sys (*** hidden *** ) [SYSTEM] kbiwkmrwgopeto <-- ROOTKIT !!!
// Service system32\drivers\UACrgwrubqhol.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!
// Trojan.TDSS.Rootkit(2):
// Aus einem Logfile von ComboFix
// c:\windows\system32\uacinit.dll
// c:\windows\system32\UACmrndpmxpwg.dat
// c:\windows\system32\drivers\kbiwkmkwbivkos.sys
// c:\windows\system32\kbiwkmcpeybxvq.dll
// c:\windows\system32\kbiwkmhoawxwvj.dat
// c:\windows\system32\kbiwkmiurtqwux.dat
// c:\windows\system32\kbiwkmnvpfypie.dll
// [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kbiwkmlilrkmas]
// Folgende Dateien wurden ebenfalls von ComboFix gelöscht:
// c:\windows\ayeshut.dll
// c:\windows\easdsave.dll
// c:\windows\Fonts\THIRDPAR.TTF
// c:\windows\inicea.dll
// c:\windows\run.log
// c:\windows\system32\3.tmp
// c:\windows\system32\4.tmp
// c:\windows\system32\5.tmp
// c:\windows\system32\Plugins
// c:\windows\system32\Plugins\ml\ml_pmp_device_Creative Zen V Plus.ini
// Trojan.TDSS.Rootkit(3):
// Aus einem Logfile von ComboFix
// c:\windows\system32\drivers\SKYNETdsynmwoy.sys
// c:\windows\system32\SKYNETkrpamwit.dll
// c:\windows\system32\SKYNETnpsaeyvo.dat
// c:\windows\system32\SKYNETpxmparer.dll
// Folgende Dateien wurden ebenfalls von ComboFix gelöscht:
// c:\windows\jestertb.dll
// c:\windows\winhelp.ini
// c:\windows\WINPROD.DLL
// Trojan.TDSS.Rootkit(4):
// Aus einem Logfile von GMER:
// Service C:\WINDOWS\system32\drivers\kbiwkmsswuypdw.sys (*** hidden *** ) [SYSTEM] kbiwkmlnmbftko <-- ROOTKIT !!!
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@start 1
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@type 1
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@group file system
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@imagepath \systemroot\system32\drivers\kbiwkmsswuypdw.sys
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main@aid 20029
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main@sid 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main@cmddelay 14400
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\delete
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\injector
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\injector@* kbiwkmwsp.dll
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\tasks
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmsswuypdw.sys
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqipyviyq.dll
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxfubsdnq.dat
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmwbkfceep.dll
// Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkm.dat \systemroot\system32\kbiwkmphqbyexm.dat
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@start 1
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@type 1
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@group file system
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@imagepath \systemroot\system32\drivers\kbiwkmsswuypdw.sys
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main@aid 20029
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main@sid 0
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main@cmddelay 14400
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\delete (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\injector (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\injector@* kbiwkmwsp.dll
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\tasks (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmsswuypdw.sys
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqipyviyq.dll
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxfubsdnq.dat
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmwbkfceep.dll
// Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkm.dat \systemroot\system32\kbiwkmphqbyexm.dat
// Folgende Dateien wurden ebenfalls von ComboFix dabei gelöscht:
// "c:\windows\System32\drivers\8fcc9dbc.sys"
// "c:\windows\system32\drivers\llqtmah.sys"
// Trojan.Unknown(1):
AutoRun:"SIENA","<$SYSDIR>\SIENA.vbs","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SIENA"
File:"<$FILE_EXE>","<$SYSDIR>\SIENA.vbs"
// Folgender R1 Eintrag wurde von OpenSBI nicht übernommen:
// R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by SIENA
// Trojan.Unknown(2):
// Verdacht auf Zbot (wegen Profile), daher NTFile
AutoRun:"mset","<$SYSDIR>\mset.exe","flagifnofile=1"
AutoRun:"mset","<$PROFILE>\mset.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","mset"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mset"
NTFile:"<$FILE_EXE>","<$SYSDIR>\mset.exe"
NTFile:"<$FILE_EXE>","<$PROFILE>\mset.exe"
// Trojan.Unknown(3):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","crypt","DllName=crypts.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\crypts.dll"
// Trojan.Virtumonde:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C7BACA43-60FD-424A-93DF-15E3AEA0D190}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C7BACA43-60FD-424A-93DF-15E3AEA0D190}"
BrowserHelperEx:"*","filename=urqOGYOF.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\urqOGYOF.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5679D773-A89D-445F-A575-097C155A349F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5679D773-A89D-445F-A575-097C155A349F}"
BrowserHelperEx:"*","filename=ssqPijkk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssqPijkk.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C6048BAF-624C-4074-B319-4A7CCEEF3059}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C6048BAF-624C-4074-B319-4A7CCEEF3059}"
BrowserHelperEx:"*","filename=bitsprx3f.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bitsprx3f.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D0564C9F-79B9-4C80-B2CB-AE5F04B4CB6E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D0564C9F-79B9-4C80-B2CB-AE5F04B4CB6E}"
BrowserHelperEx:"*","filename=ccfgntn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ccfgntn.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{be321b82-e695-4657-adb9-43b811f65214}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{be321b82-e695-4657-adb9-43b811f65214}"
BrowserHelperEx:"*","filename=kelaworu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kelaworu.dll"
// AutoRun:"Fzipodini","rundll32.exe "C:\WINNT\Kqeluvozerazurow.dll",e","flagifnofile=1"
AutoRun:"*","<$WINDIR>\Kqeluvozerazurow.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Fzipodini"
File:"<$FILE_LIBRARY>","<$WINDIR>\Kqeluvozerazurow.dll"
// AutoRun:"Sxobulofoseqova","rundll32.exe "C:\WINNT\avuguwivi.dll",e","flagifnofile=1"
AutoRun:"*","<$WINDIR>\avuguwivi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Sxobulofoseqova"
File:"<$FILE_LIBRARY>","<$WINDIR>\avuguwivi.dll"
// AutoRun:"Igozomexekocub","rundll32.exe "C:\WINDOWS\igumadavak.dll",e","flagifnofile=1"
AutoRun:"*","<$WINDIR>\igumadavak.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Igozomexekocub"
File:"<$FILE_LIBRARY>","<$WINDIR>\igumadavak.dll"
// AutoRun:"tgtlm","rundll32.exe "C:\Users\ARBA ASSCEND\AppData\Roaming\wudsina.dll",hvyshqly","flagifnofile=1"
AutoRun:"*","<$APPDATA>\wudsina.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","tgtlm"
// File:"<$FILE_EXE>","rundll32.exe "C:\Users\ARBA ASSCEND\AppData\Roaming\wudsina.dll",hvyshqly
File:"<$FILE_LIBRARY>","<$APPDATA>\wudsina.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vofehafi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vofehafi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ms32clod.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ms32clod.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\432356140724mxx.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hivopigi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hapisiha.dll"
File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\432356140724mxx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hivopigi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hapisiha.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nomifeyi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nomifeyi.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","pmnoOFyx","DllName=<$WINDIR>\"
//File:"<$FILE_LIBRARY>","C:\WINDOWS\"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c00BD049","DllName=<$SYSDIR>\__c00BD049.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00BD049.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","7c43f695654","DllName=<$WINDIR>\"
//File:"<$FILE_LIBRARY>","C:\WINDOWS\"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","nkzxwhto","DllName=<$SYSDIR>\bitsprx3f.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bitsprx3f.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","658a960d654","DllName=<$SYSDIR>\hnetmon32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hnetmon32.dll"
// Aus einem Logfile von ComboFix:
File:"<$FILE_LIBRARY>","<$SYSDIR>\oPIXnoli.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\amndndkt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ayyewe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bmcljcoc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bngwccxx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bwumdmuq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bycsuahs.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cexkqtdu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\frlmui.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fwtfxc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gupnqglp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiptprry.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hlfduoqt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hnwknn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iyhyly.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jsbouuwn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ktvovysl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kxvbzr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lgjdvyvc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lgkzif.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lqnrvbhq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mmwmlito.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\onpotk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pinolsmb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pqjwjqaf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pujrjv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pywzxn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qotckv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sdlsdhja.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tjpkomcn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tkeozp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uhhiva.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vhjlbz.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vwmmiq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wdlxcv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winsokhy.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xejxvu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yjopkb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zgwilh.dll"
// Aus einem Logfile von ComboFix:
File:"<$FILE_LIBRARY>","<$WINDIR>\acemovumax.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\ategevus.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\dxypmdo.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\eguwipezupewada.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\ekobaraxonugidel.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\ibirixat.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\igosizebazobifuy.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\isuyesubasebiwey.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\ixemeqaguvi.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\izohudusiboqudo.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\obanosobuzitoway.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\ocebeyeyogomu.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\ojowaxoz.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\onaguvim.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\oqeyacikofegi.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\orejopevogani.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\otobafit.dll"
File:"<$FILE_SERVICE>","<$SYSDIR>\drivers\npf.sys"
File:"<$FILE_LIBRARY>","<$SYSDIR>\Packet.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pthreadVC.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\WanPacket.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wpcap.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\uforikom.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\utamuwes.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\uwuqariw.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\uzomolimarigaf.dll"
// Trojan.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Msh\xxcbr.exe \s,C:\Documents and Settings\Msh\mrbvglg.exe \s"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\xxcbr.exe*,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\mrbvglg.exe*"
NTFile:"<$FILE_EXE>","<$PROFILE>\xxcbr.exe"
NTFile:"<$FILE_EXE>","<$PROFILE>\mrbvglg.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\LETICIA\tvwy.exe \s,C:\WINDOWS\system32\bvdpss.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\tvwy.exe*"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\bvdpss.exe"
NTFile:"<$FILE_EXE>","<$PROFILE>\tvwy.exe"
NTFile:"<$FILE_EXE>","<$SYSDIR>\bvdpss.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\Owner\LOCALS~1\Temp\init.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$LOCALSETTINGS>\Temp\init.exe"
NTFile:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\init.exe"
// Folgenden Eintrag habe ich in Verbindung mit diesem Schädling gefunden:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","tapi.nfo beforeglav"
New Malware v25
Reply With Quote