Code:
:: New Malware v26
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-09-03}
// Adware.Freeze.comToolbar:
// Aus einem Logfile von ComboFix
File:"<$FILE_DATA>","<$PROGRAMFILES>\Freeze.com Toolbar\basis.xml"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Freeze.com Toolbar\freeze.bmp"
File:"<$FILE_DATA>","<$PROGRAMFILES>\Freeze.com Toolbar\freeze_us.crc"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Freeze.com Toolbar\frzToolbar_logo.bmp"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Freeze.com Toolbar\icons.bmp"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\Freeze.com Toolbar\info.txt"
File:"<$FILE_WEBPAGE>","<$PROGRAMFILES>\Freeze.com Toolbar\options.html"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Freeze.com Toolbar\powered_yahoo_search.bmp"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\Freeze.com Toolbar\version.txt"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Freeze.com Toolbar"
// Adware.MalwareRemovalBot:
// AutoRun:"MalwareRemovalBot","C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot Adware.MalwareRemovalBot","flagifnofile=1"
AutoRun:"MalwareRemovalBot","<$PROGRAMFILES>\MalwareRemovalBot\MalwareRemovalBot.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MalwareRemovalBot"
// File:"<$FILE_EXE>","C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot"
File:"<$FILE_EXE>","<$PROGRAMFILES>\MalwareRemovalBot\MalwareRemovalBot.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MalwareRemovalBot"
// Adware.SNSClient:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6F1D52E4-8CEF-41BB-B7ED-B0107A38D0D1}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6F1D52E4-8CEF-41BB-B7ED-B0107A38D0D1}"
BrowserHelperEx:"SNSClientObj Class","filename=snsclient.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\snsclient\snsclient.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\snsclient"
// Adware.Startline:
AutoRun:"startline","<$PROGRAMFILES>\startline\startline_update.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","startline"
File:"<$FILE_EXE>","<$PROGRAMFILES>\startline\startline_update.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\startline"
// Adware.SurfAccuracy:
AutoRun:"SurfAccuracy","<$PROGRAMFILES>\SurfAccuracy\SAcc.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SurfAccuracy"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SurfAccuracy\SAcc.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SurfAccuracy"
// Malware.Fraud.PCAntispyware2010:
// AutoRun:"PC Antispyware 2010","C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide","flagifnofile=1"
AutoRun:"PC Antispyware 2010","<$PROGRAMFILES>\PC_Antispyware2010\PC_Antispyware2010.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","PC Antispyware 2010"
// File:"<$FILE_EXE>",""C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide"
File:"<$FILE_EXE>","<$PROGRAMFILES>\PC_Antispyware2010\PC_Antispyware2010.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\PC_Antispyware2010"
// Malware.Smitfraud:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","enation","enation={629340b5-8df6-4211-9245-a86563a35792}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gnmguxh.dll"
// Malware.Unknown(1):
// Aus einem Logfile von ComboFix
File:"<$FILE_CONFIGURATION>","<$WINDIR>\bcfijl.ini"
File:"<$FILE_CONFIGURATION>","<$WINDIR>\klnqss.ini"
File:"<$FILE_CONFIGURATION>","<$WINDIR>\oqprru.ini"
File:"<$FILE_CONFIGURATION>","<$WINDIR>\twvxay.ini"
File:"<$FILE_CONFIGURATION>","<$WINDIR>\vyccfe.ini"
// Malware.Unknown(2):
// Aus einem Logfile von ComboFix
// c:\windows\system32\SystemX86\246.keygen.zip.kwd
// c:\windows\system32\SystemX86\253.crack.zip
// c:\windows\system32\SystemX86\253.crack.zip.kwd
// c:\windows\system32\SystemX86\254.keygen.zip
// c:\windows\system32\SystemX86\254.keygen.zip.kwd
// c:\windows\system32\SystemX86\255.serial.zip
// c:\windows\system32\SystemX86\255.serial.zip.kwd
// c:\windows\system32\SystemX86\256.setup.zip
// c:\windows\system32\SystemX86\256.setup.zip.kwd
// c:\windows\system32\SystemX86\257.music.au
// c:\windows\system32\SystemX86\257.music.au.kwd
// c:\windows\system32\SystemX86\258.music2.au
// c:\windows\system32\SystemX86\258.music2.au.kwd
// c:\windows\system32\SystemX86\259.music3.au
// c:\windows\system32\SystemX86\259.music3.au.kwd
// c:\windows\system32\SystemX86\260.music.snd
// c:\windows\system32\SystemX86\260.music.snd.kwd
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.keygen.zip.kwd"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.crack.zip"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.crack.zip.kwd"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.keygen.zip"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.keygen.zip.kwd"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.serial.zip"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.serial.zip.kwd"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.setup.zip"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.setup.zip.kwd"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.music.au"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.music.au.kwd"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.music?.au"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.music?.au.kwd"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.music.snd"
File:"<$FILE_DATA>","<$SYSDIR>\SystemX86\???.music.snd.kwd"
Directory:"<$DIR_PROG>","<$SYSDIR>\SystemX86"
// Suspicious:
// O1 - Hosts: 91.121.97.18 www.thepiratebay.org
// O1 - Hosts: 91.121.97.18 thepiratebay.org
// O1 - Hosts: 74.125.45.100 4-open-davinci.com
// O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
// O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 http://www.getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 http://www.secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 http://www.getavplusnow.com
// O1 - Hosts: 74.125.45.100 http://www.securesoftwarebill.com
// O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
// Trojan.Agent(1):
// AutoRun:"winntR1","c:\winnt_\winntR1.exe","flagifnofile=1"
// AutoRun:"winntR2","c:\winnt_\winntR2.exe","flagifnofile=1"
// AutoRun:"winnt2","c:\winnt_\winnt2.exe","flagifnofile=1"
// AutoRun:"winnt4","c:\winnt_\winnt4.exe","flagifnofile=1"
// AutoRun:"winnt5","c:\winnt_\winnt5.exe","flagifnofile=1"
// AutoRun:"winnt7","c:\winnt_\winnt7.exe","flagifnofile=1"
AutoRun:"winnt?","<$SYSDRIVE>\winnt_\winnt?.exe","flagifnofile=1"
AutoRun:"winnt??","<$SYSDRIVE>\winnt_\winnt??.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winntR1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winntR2"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winnt2"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winnt4"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winnt5"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winnt7"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winnt?"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winnt??"
// File:"<$FILE_EXE>","c:\winnt_\winntR1.exe"
// File:"<$FILE_EXE>","c:\winnt_\winntR2.exe"
// File:"<$FILE_EXE>","c:\winnt_\winnt2.exe"
// File:"<$FILE_EXE>","c:\winnt_\winnt4.exe"
// File:"<$FILE_EXE>","c:\winnt_\winnt5.exe"
// File:"<$FILE_EXE>","c:\winnt_\winnt7.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\winnt_\winnt?.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\winnt_\winnt??.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\winnt_"
// Trojan.Agent(2):
AutoRun:"Errlog","<$SYSDIR>\Windows error log\Service.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Errlog"
File:"<$FILE_EXE>","<$SYSDIR>\Windows error log\Service.exe"
//AutoRun:"SYSTEM","C:\Users\Elliot\AppData\Local\Temp\services.exe","flagifnofile=1"
AutoRun:"SYSTEM","<$LOCALAPPDATA>\Temp\services.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SYSTEM"
//File:"<$FILE_EXE>","C:\Users\Elliot\AppData\Local\Temp\services.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\services.exe"
// Trojan.Agent(3):
// AutoRun:"Win32 Firewall","C:\Users\Kimmy\AppData\Local\Temp\067.exe","flagifnofile=1"
AutoRun:"Win32 Firewall","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Win32 Firewall"
// File:"<$FILE_EXE>","C:\Users\Kimmy\AppData\Local\Temp\067.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\0??.exe"
// AutoRun:"MicrosoftUpdate","C:\Users\Kimmy\AppData\Roaming\taskeng.exe","flagifnofile=1"
AutoRun:"MicrosoftUpdate","<$APPDATA>\taskeng.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MicrosoftUpdate"
// File:"<$FILE_EXE>","C:\Users\Kimmy\AppData\Roaming\taskeng.exe"
File:"<$FILE_EXE>","<$APPDATA>\taskeng.exe"
// Trojan.Monopod:
AutoRun:"Monopod","<$WINDIR>\TEMP\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Monopod"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\b.exe"
// Trojan.TDSS.Rootkit:
// c:\windows\system32\vsfocecxnrviqj.dat"
// c:\windows\system32\vsfocenkllmswx.dll"
// c:\windows\system32\vsfocewwqcsxrq.dat"
// c:\windows\system32\vsfoceympmqfwb.dll"
NTFile:"<$FILE_LIBRARY>","<$SYSDIR>\vsfoce*.dat"
NTFile:"<$FILE_LIBRARY>","<$SYSDIR>\vsfoce*.dll"
// Trojan.Virtumonde:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9b0adbca-9817-447c-a34e-9f8d705cca8d}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9b0adbca-9817-447c-a34e-9f8d705cca8d}"
BrowserHelperEx:"*","filename=kbdrol.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kbdrol.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{88B310C0-A348-4C36-A0E1-9CF402CC4FCC}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{88B310C0-A348-4C36-A0E1-9CF402CC4FCC}"
BrowserHelperEx:"*","filename=ddcyx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ddcyx.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{487C9905-26A8-42C8-8033-C58AD3D2AEC3}"
BrowserHelperEx:"*","filename=ssqnomLC.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssqnomLC.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"
BrowserHelperEx:"*","filename=tuvUlJDw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tuvUlJDw.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D595BC57-FBEB-4D18-8EAA-CBB8C110E174}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D595BC57-FBEB-4D18-8EAA-CBB8C110E174}"
BrowserHelperEx:"*","filename=pmnoNFvW.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pmnoNFvW.dll"
// AutoRun:"MSServer","rundll32.exe C:\Windows\system32\tuvUlJDw.dll,#1","flagifnofile=1"
AutoRun:"MSServer","<$SYSDIR>\tuvUlJDw.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSServer"
// File:"<$FILE_EXE>","rundll32.exe C:\Windows\system32\tuvUlJDw.dll,#1"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tuvUlJDw.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs",",<$SYSDIR>\filemgmt32.dll"
File:"<$FILE_LIBRARY>",",<$SYSDIR>\filemgmt32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pmkheba.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pmkheba.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","fxsomm","DllName=<$SYSDIR>\fxsomm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fxsomm.dll"
// RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","3c623b87660","DllName=<$SYSDIR>\filemgmt32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","*","DllName=<$SYSDIR>\filemgmt32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\filemgmt32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","psodbc","DllName=<$WINDIR>\Fonts\psodbc.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\Fonts\psodbc.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ddcyx","DllName=<$SYSDIR>\ddcyx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ddcyx.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ssqnomLC","DllName=<$SYSDIR>\ssqnomLC.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssqnomLC.dll"
// Aus einem Logfile von ComboFix:
File:"<$FILE_DATA>","<$SYSDIR>\__C00C6FC2.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__C00D8B0A.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__C00802A4.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__C0040349.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c001BC83.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c0078572.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00CB4EA.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00CC521.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00E3669.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00F8900.dat"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\jocqmrvq.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\lbkkaijd.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\nynupamp.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\piaxwsph.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\qnoqmhqt.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\qxvruwmw.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\scumggjn.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\yrkikunn.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\oghkokav.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\verdaqsf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msvcsv60.dll"
// Trojan.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","load=C:\WINDOWS\system32\tydytyb.exe "
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","<$SYSDIR>\tydytyb.exe*"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\tydytyb.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\tydytyb.exe*"
AutoRun:"WindowsDefender","<$SYSDIR>\tydytyb.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WindowsDefender"
AutoRun:"Com32","<$SYSDIR>\tydytyb.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Com32"
NTFile:"<$FILE_EXE>","<$SYSDIR>\tydytyb.exe"
// AutoRun:"userinit","C:\Users\Mr. Matty\AppData\Roaming\sdra64.exe","flagifnofile=1"
AutoRun:"userinit","<$APPDATA>\sdra64.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","userinit"
// File:"<$FILE_EXE>","C:\Users\Mr. Matty\AppData\Roaming\sdra64.exe"
NTFile:"<$FILE_EXE>","<$APPDATA>\sdra64.exe"
// Folgende Dateien wurden von ComboFix ebenfalls gelöscht:
// O4 - HKCU\..\RunServicesOnce: [LogServ] C:\WINDOWS\system32\tydytyb.exe
// O4 - HKLM\..\Policies\Explorer\Run: [MF01] C:\Windows\system32\wow0524.exe
NTFile:"<$FILE_LIBRARY>","<$SYSDRIVE>\explorer.exe"
NTFile:"<$FILE_TEXT>","<$SYSDIR>\AutoRun.inf"
NTFile:"<$FILE_SERVICE>","<$SYSDIR>\drivers\fad.sys"
// Trojan.Zlob:
// CLSID ist zufällig
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","WebWin","WebWin={203CBB11-B270-5708-F2FA-05C7388D3774}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","WebWin","WebWin=*"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\umtjtgf\WebWin.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\umtjtgf"
// O17 - HKLM\System\CCS\Services\Tcpip\..\{17F8C938-66EF-46B2-866D-3FC172504A57}: NameServer = 85.255.112.113,85.255.112.175
// O17 - HKLM\System\CCS\Services\Tcpip\..\{58F14D69-8095-4B10-93B5-E3EF8948C92A}: NameServer = 85.255.112.113,85.255.112.175
// O17 - HKLM\System\CCS\Services\Tcpip\..\{F0FE9330-3B9E-4964-9CBC-377551AAF9A9}: NameServer = 85.255.112.113,85.255.112.175
// O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.113,85.255.112.175
// O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 85.255.112.113,85.255.112.175
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.113,85.255.112.175
New Malware v26
Reply With Quote