Code:
:: New Malware v29
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-09-18}
// Adware.AdRotator:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{ba2784c3-c515-050f-9c5d-c027727cf29c}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{ba2784c3-c515-050f-9c5d-c027727cf29c}"
BrowserHelperEx:"bignetdaddy","filename=ns??.dll"
BrowserHelperEx:"bignetdaddy","filename=ns???.dll"
BrowserHelperEx:"bignetdaddy search enhancer","filename=*.dll"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\nsc2D.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ns???.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ns??.dll"
// Adware.Alexa:
IEExtension:"Related"
RegyKey:"<$REG_IEEXTENSION>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Extensions\","{c95fe080-8f5d-11d2-a20b-00aa003c157a}","ButtonText=Related"
IEExtension:"Show %26Related Links"
RegyKey:"<$REG_IEEXTENSION>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Extensions\","{c95fe080-8f5d-11d2-a20b-00aa003c157a}","MenuText=Show %26Related Links"
File:"<$FILE_WEBPAGE>","<$WINDIR>\web\related.htm"
// Malware.Fraud.OmegaAntiVir:
// AutoRun:"Omega AntiVir",""C:\Documents and Settings\All Users\Application Data\61a60\OM83b.exe" /s","flagifnofile=1"
AutoRun:"Omega AntiVir","<$COMMONAPPDATA>\*\OM*.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Omega AntiVir"
// File:"<$FILE_EXE>",""C:\Documents and Settings\All Users\Application Data\61a60\OM83b.exe" /s"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\*\OM*.exe"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\OAV\oav.cfg"
File:"<$FILE_LINK>","<$QUICKLAUNCH>\Omega AntiVir.lnk"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Omega AntiVir.lnk"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\*\mozcrt??.dll"
File:"<$FILE_PICTURE>","<$COMMONAPPDATA>\*\OMEGA-AV.ico"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\*\sqlite3.dll"
File:"<$FILE_LINK>","<$STARTMENU>\Omega AntiVir.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Omega AntiVir.lnk"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Omega AntiVir\cookies.sqlite"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Omega AntiVir"
// Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\61a60"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\*","filename=OMEGA-AV.ico"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\OAV"
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Omega AntiVir
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","Omega AntiVir"
// HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{3F2BBC05-40DF-11D2-9455-00104BC936FF}"
// HKEY_CLASSES_ROOT\SetupPack.DocHostUIHandler
RegyKey:"<$REG_SETTINGS>",HKEY_CLASSES_ROOT,"\","SetupPack.DocHostUIHandler"
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "8789107703"
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\",8789107703
// Malware.Fraud.ProofDefender2009:
// AutoRun:"Proof Defender 2009",""C:\Program Files\Proof Defender 2009\pdfndr.exe","flagifnofile=1"
AutoRun:"Proof Defender 2009","<$PROGRAMFILES>\Proof Defender 2009\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Proof Defender 2009"
// File:"<$FILE_EXE>",""C:\Program Files\Proof Defender 2009\pdfndr.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Proof Defender 2009\pdfndr.exe"
File:"<$FILE_DATA>","<$PROGRAMFILES>\Proof Defender 2009\dbbase.div"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Proof Defender 2009\pd.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Proof Defender 2009\pdfndr.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Proof Defender 2009\UnInstall.exe"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\Proof Defender 2009\Proof Defender 2009.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\Proof Defender 2009\Uninstall Proof Defender 2009.lnk"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\Proof Defender 2009"
Directory:"<$DIR_PROG>","c:\Program Files\Proof Defender 2009"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PDefender
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\","PDefender"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDefender
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","PDefender"
// Malware.Fraud.SafetyKeeper:
// Erster Autostarteintrag mit zufälligem Namen
// AutoRun:"gbn976rl.exe","C:\WINDOWS\system32\gbn976rl.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","gbn976rl.exe"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\gbn976rl.exe"
// c:\Documents and Settings\Bleeping\Local Settings\Temp\gbn976rl.exe
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "gbn976rl.exe"
// AutoRun:"SafetyKeeper","C:\Program Files\SafetyKeeper Software\SafetyKeeper\SafetyKeeper.exe -min ","flagifnofile=1"
AutoRun:"SafetyKeeper","<$PROGRAMFILES>\SafetyKeeper Software\SafetyKeeper\SafetyKeeper.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SafetyKeeper"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SafetyKeeper Software\SafetyKeeper\SafetyKeeper.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SafetyKeeperSvc","ImagePath=<$PROGRAMFILES>\SafetyKeeper Software\SafetyKeeper\SafetyKeeperSvc.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SafetyKeeperSvc","DisplayName=SafetyKeeper Security Service"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SafetyKeeper Software\SafetyKeeper\SafetyKeeperSvc.exe"
File:"<$FILE_DESKTOPLINK>","<$COMMONDESKTOP>\SafetyKeeper.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SafetyKeeper\1 SafetyKeeper.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SafetyKeeper\2 Homepage.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SafetyKeeper\3 Uninstall.lnk"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SafetyKeeper Software\SafetyKeeper\uninstall.exe"
// Meiner Meinung nach sind nicht die kompletten Dateinamen zufällig; es lässt sich fast immer ein "stabiler Kern" erkennen
// c:\WINDOWS\1059ztr9j470.bin"
File:"<$FILE_DATA>","<$WINDIR>\*ztr*.bin"
// c:\WINDOWS\1155backdoor929z.ocx"
File:"<$FILE_DATA>","<$WINDIR>\*backdoor*.ocx"
// c:\WINDOWS\118019ot-a-virus5ez.exe"
File:"<$FILE_EXE>","<$WINDIR>\*virus*.exe"
// c:\WINDOWS\system32\90a3t5ief225z.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\*ief*.ocx"
// c:\WINDOWS\system32\9207znot-a-v5rus2f7.bin"
File:"<$FILE_EXE>","<$SYSDIR>\*not-a-*.bin"
// c:\WINDOWS\system32\923bspyw5rez493.exe"
File:"<$FILE_EXE>","<$SYSDIR>\*spy*.exe"
// c:\WINDOWS\system32\925855ot-a-virus31z.exe"
File:"<$FILE_EXE>","<$SYSDIR>\*-a-virus*.exe"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\SafetyKeeper"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SafetyKeeper Software\SafetyKeeper"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SafetyKeeper Software"
// HKEY_CURRENT_USER\Software\SafetyKeeper
RegyKey:"<$REG_SETTINGS>",CURRENT_USER,"\Software\","SafetyKeeper"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafetyKeeper
RegyKey:"<$REG_SETTINGS>",CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Uninstall\","SafetyKeeper"
// HKEY_LOCAL_MACHINE\SOFTWARE\SafetyKeeper
RegyKey:"<$REG_SETTINGS>",LOCAL_MACHINE,"\Software\","SafetyKeeper"
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFETYKEEPERSVC
RegyKey:"<$REG_SETTINGS>",LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Enum\Root","LEGACY_SAFETYKEEPERSVC"
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafetyKeeperSvc
RegyKey:"<$REG_SETTINGS>",LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Services\","SafetyKeeperSvc"
// Malware.Fraud.Unknown:
// c:\windows\system32\images\i1.gif
// c:\windows\system32\images\i2.gif
// c:\windows\system32\images\i3.gif
File:"<$FILE_PICTURE>","<$SYSDIR>\images\i?.gif"
// c:\windows\system32\images\j1.gif
// c:\windows\system32\images\j2.gif
// c:\windows\system32\images\j3.gif
File:"<$FILE_PICTURE>","<$SYSDIR>\images\j?.gif"
// c:\windows\system32\images\jj1.gif
// c:\windows\system32\images\jj2.gif
// c:\windows\system32\images\jj3.gif
File:"<$FILE_PICTURE>","<$SYSDIR>\images\jj?.gif"
// c:\windows\system32\images\l1.gif
// c:\windows\system32\images\l2.gif
// c:\windows\system32\images\l3.gif
File:"<$FILE_PICTURE>","<$SYSDIR>\images\l?.gif"
// c:\windows\system32\images\pix.gif
File:"<$FILE_PICTURE>","<$SYSDIR>\images\pix.gif"
// c:\windows\system32\images\t1.gif
// c:\windows\system32\images\t2.gif
File:"<$FILE_PICTURE>","<$SYSDIR>\images\t?.gif"
// c:\windows\system32\images\up1.gif
// c:\windows\system32\images\up2.gif
File:"<$FILE_PICTURE>","<$SYSDIR>\images\up?.gif"
// c:\windows\system32\images\w1.gif
// c:\windows\system32\images\w2.gif
// c:\windows\system32\images\w3.gif
// c:\windows\system32\images\w3.jpg
File:"<$FILE_PICTURE>","<$SYSDIR>\images\w?.gif"
File:"<$FILE_PICTURE>","<$SYSDIR>\images\w?.jpg"
// c:\windows\system32\images\w11.gif
// c:\windows\system32\images\wt1.gif
// c:\windows\system32\images\wt2.gif
// c:\windows\system32\images\wt3.gif
File:"<$FILE_PICTURE>","<$SYSDIR>\images\w??.gif"
Directory:"<$DIR_PROG>","<$SYSDIR>\images"
// Malware.Fraud.WinProtector:
// AutoRun:"WINPS",""C:\Documents and Settings\All Users\Application Data\d413612\WinProtector.exe" /s","flagifnofile=1"
AutoRun:"WINPS","<$COMMONAPPDATA>\*\WinProtector.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WINPS"
// File:"<$FILE_EXE>",""C:\Documents and Settings\All Users\Application Data\d413612\WinProtector.exe" /s"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\*\WinProtector.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\*","filename=WinProtector.exe"
// Malware.Infostealer.Gamepass:
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","msosmhfp01.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msosmhfp01.dll"
// Malware.Smitfraud:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","djuka","djuka={ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wbchha.dll"
// Malware.Sysguard:
// AutoRun:"system tool","C:\Program Files\jnsfyv\ebojsysguard.exe","flagifnofile=1"
AutoRun:"system tool","<$PROGRAMFILES>\*\*sysguard.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","system tool"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","system tool"
File:"<$FILE_EXE>","<$PROGRAMFILES>\*\*sysguard.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\*","filename=*sysguard.exe"
// Malware.Unknown(1):
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2508CBA6-AD92-3624-9005-4383115B413F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2508CBA6-AD92-3624-9005-4383115B413F}"
// BrowserHelperEx:"D","filename=cy37722.dll"
BrowserHelperEx:"D","filename=cy?????.dll"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\cy37722.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cy?????.dll"
// Malware.Unknown(2):
// AutoRun:"Faohjygg",""C:\Program Files\Common Files\??stem32\w?nspool.exe"","flagifnofile=1"
AutoRun:"*","<$COMMONPROGRAMFILES>\*stem32\w?nspool.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Faohjygg"
// File:"<$FILE_EXE>",""C:\Program Files\Common Files\??stem32\w?nspool.exe""
File:"<$FILE_EXE>","<$COMMONPROGRAMFILES>\*stem32\w?nspool.exe"
// Malware.Unknown(3):
// c:\windows\ppp3.dat
// c:\windows\ppp4.dat
// c:\windows\system32\bennuar.old
// c:\windows\system32\bincd32.dat
// c:\windows\system32\desote.exe
File:"<$FILE_EXE>","<$WINDIR>\ppp?.dat"
File:"<$FILE_DATA>","<$SYSDIR>\bennuar.old"
File:"<$FILE_DATA>","<$SYSDIR>\bincd??.dat"
File:"<$FILE_EXE>","<$SYSDIR>\desote.exe"
// Malware.Unknown(4):
// c:\windows\system32\Bin9.exe
// c:\windows\system32\Cmk7ubTz.exe
// c:\windows\system32\Jle7.exe
// c:\windows\SYSTEM32\ntSVc.ocx
// c:\windows\system32\QizZ.exe
// c:\windows\system32\TafqX3m.exe
// c:\windows\system32\Voqv.exe
// c:\windows\system32\Xwe1X.exe
// c:\windows\system32\ZnyC.exe
// c:\windows\system32\Zwl4tD3.exe
File:"<$FILE_EXE>","<$SYSDIR>\Bin?.exe"
File:"<$FILE_EXE>","<$SYSDIR>\Cmk7ubTz.exe"
File:"<$FILE_EXE>","<$SYSDIR>\Jle?.exe"
File:"<$FILE_DATA>","<$SYSDIR>\ntSVc.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\Qizz.exe"
File:"<$FILE_EXE>","<$SYSDIR>\TafqX3m.exe"
File:"<$FILE_EXE>","<$SYSDIR>\Voqv.exe"
File:"<$FILE_EXE>","<$SYSDIR>\Xwe*.exe"
File:"<$FILE_EXE>","<$SYSDIR>\Zny*.exe"
File:"<$FILE_EXE>","<$SYSDIR>\Zw*.exe"
// Suspicious:
// O1 - Hosts: 91.121.97.18 www.thepiratebay.org
// O1 - Hosts: 91.121.97.18 thepiratebay.org
// O1 - Hosts: 91.121.97.18 www.thepiratebay.org
// O1 - Hosts: 91.121.97.18 thepiratebay.org
// O1 - Hosts: 74.125.45.100 4-open-davinci.com
// O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
// O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getavplusnow.com
// O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
// O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
// O1 - Hosts: 74.125.45.100 4-open-davinci.com
// O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
// O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getavplusnow.com
// O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
// O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
// O1 - Hosts: 91.212.127.220 intsecure.microsoft.com
// O1 - Hosts: 91.212.127.220 intsecure-2009.com
// O1 - Hosts: 91.212.127.220 www.intsecure-2009.com
// O1 - Hosts: 91.212.127.221 virusermoverpro.microsoft.com
// O1 - Hosts: 91.212.127.221 virusermoverpro.com
// O1 - Hosts: 91.212.127.221 www.virusermoverpro.com
// O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
// O1 - Hosts: 74.125.45.100 4-open-davinci.com
// O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
// O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getavplusnow.com
// O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
// O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
// Trojan.AdClick:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SystemCheck2","SystemCheck2={54645654-2225-4455-44A1-9F4543D34545}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vbsys2.dll"
// Trojan.Agent:
// Name des Autostarts zufällig; der Dateiname ist wohl fest (mehrfach im Internet gefunden)
// AutoRun:"anhtaas","C:\WINDOWS\system32\cvsdfw.exe","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\cvsdfw.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","anhtaas"
File:"<$FILE_EXE>","<$SYSDIR>\cvsdfw.exe"
// Trojan.Agent(2) bzw. Trojan.Zbot:
// Wurde in meiner Datei # 25 bereits als "Trojan.Trojan(3)" aufgenommen und von euch als Trojan.Agent.blablabla übernommen; hier ein weiterer Pfad;
// Habe nun Verdacht auf Zbot, daher NTFile
// AutoRun:"sys32_nov","C:\Documents and Settings\lcarden\sys32_nov.exe","flagifnofile=1"
AutoRun:"sys32_nov","<$PROFILE>\sys32_nov.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","sys32_nov"
// File:"<$FILE_EXE>","C:\Documents and Settings\lcarden\sys32_nov.exe"
NTFile:"<$FILE_EXE>","<$PROFILE>\sys32_nov.exe"
// Trojan.Agent(3):
// AutoRun:"Windows Loader","C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ptssvc.exe -lds","flagifnofile=1"
AutoRun:"Windows Loader","<$APPDATA>\*.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Loader"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ptssvc.exe -lds"
File:"<$FILE_EXE>","<$APPDATA>\ptssvc.exe"
// Trojan.Autorun:
// AutoRun:"regdiit","C:\WINDOWS\system32\win.exe","flagifnofile=1"
AutoRun:"regdiit","<$SYSDIR>\win.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","regdiit"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\win.exe"
File:"<$FILE_EXE>","<$SYSDIR>\win.exe"
// AutoRun:"CTFMON","C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg","flagifnofile=1"
AutoRun:"CTFMON","<$SYSDIR>\winjpg.jpg","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CTFMON"
File:"<$FILE_PICTURE>","<$SYSDIR>\winjpg.jpg"
// Trojan.Haxdoor:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","rgadtm","DllName=<$SYSDIR>\rgadtm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rgadtm.dll"
// Trojan.TDSS.Rootkit:
// C:\Windows\System32\rotscxbbnmpfpx.dat
// C:\Windows\System32\rotscxkitxmibx.dll
// C:\Windows\System32\rotscxmtvqwoos.dat
// C:\Windows\System32\rotscxnpxccqte.dat
// C:\Windows\System32\rotscxptqqqpdr.dat
// C:\Windows\System32\rotscxpydxpcwm.dll
// C:\Windows\System32\rotscxrirhdear.dll
// C:\Windows\System32\rotscxspvcqetp.dll
// C:\Windows\System32\rotscxvinelxkt.dll
// C:\Windows\System32\drivers\rotscxbvlpmltv.sys
// C:\Windows\System32\drivers\rotscxqqwxfqnm.sys
File:"<$FILE_DATA>","<$SYSDIR>rotscx*.dat"
File:"<$FILE_LIBRARY>","<$SYSDIR>rotscx*.dll"
File:"<$FILE_SERVICE>","<$SYSDIR>\drivers\rotscx*.sys"
// Trojan.Unknown(1):
// Wurde in meiner Datei # 25 bereits als "Trojan.Unknown(1)" aufgenommen und von euch als Trojan.Agent.blablabla übernommen, soweit ich weiß
// R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by NAME-YECX24RTR5
// R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = .-~= Hacked by TbH w0rm =~-.
RegyChange:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\Main\","Windows Title=Standard"
// AutoRun:"NAME-YECX24RTR5","C:\WINDOWS\SYSTEM32\NAME-YECX24RTR5.vbs","flagifnofile=1"
AutoRun:"NAME-*","<$SYSDIR>\NAME-*.vbs","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","NAME-YECX24RTR5"
// File:"<$FILE_EXE>","C:\WINDOWS\SYSTEM32\NAME-YECX24RTR5.vbs"
File:"<$FILE_DATA>","<$SYSDIR>\NAME-*.vbs"
// Trojan.Unknown(2):
// O4 - HKLM\..\RunServices: [Nod42 Service] nod143.exe
// O4 - HKLM\..\RunServices: [Windows Service] kachba1.exe
// AutoRun:"Nod42 Service","nod143.exe","flagifnofile=1"
AutoRun:"Nod?? Service","<$SYSDIR>\nod???.exe","flagifnofile=1"
// AutoRun:"Windows Service","kachba1.exe","flagifnofile=1"
AutoRun:"Windows Service","<$SYSDIR>\kachba?.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Nod42 Service"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Nod?? Service"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Service"
// File:"<$FILE_EXE>","<$SYSDIR>\nod143.exe"
File:"<$FILE_EXE>","<$SYSDIR>\nod???.exe"
// File:"<$FILE_EXE>","kachba1.exe"
File:"<$FILE_EXE>","<$SYSDIR>\kachba?.exe"
// Trojan.Unknown(3):
// AutoRun:"svchost.exe","C:\WINDOWS\system32\bootfile.exe","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\bootfile.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","svchost.exe"
File:"<$FILE_EXE>","<$SYSDIR>\bootfile.exe"
// Trojan.Unknown(4):
// AutoRun:"RegistryMonitor1","C:\WINDOWS\system32\qtplugin.exe","flagifnofile=1"
AutoRun:"RegistryMonitor?","<$SYSDIR>\qtplugin.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","RegistryMonitor1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","RegistryMonitor?"
File:"<$FILE_EXE>","<$SYSDIR>\qtplugin.exe"
// Trojan.Unknown(5):
// Sternchen (*), da es keinen Windows Dienst mit diesem Namen gibt
// AutoRun:"Windows Services","services.exe","flagifnofile=1"
AutoRun:"Windows Services","<$WINDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Services"
File:"<$FILE_EXE>","<$WINDIR>\services.exe"
File:"<$FILE_EXE>","<$WINDIR>\system.exe"
// Trojan.Unknown(6):
// Bin mir nicht sicher, wie ich dieses zweite "\" berücksichtigen soll
// AutoRun:"Keygen.exe","C:\Users\\AppData\Local\Microsoft\Windows\Explorer\Keygen.exe","flagifnofile=1"
AutoRun:"Keygen.exe","<$PROFILES>\?AppData\Local\Microsoft\Windows\Explorer\Keygen.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Keygen.exe"
// File:"<$FILE_EXE>","C:\Users\\AppData\Local\Microsoft\Windows\Explorer\Keygen.exe"
File:"<$FILE_EXE>","<$PROFILES>\?AppData\Local\Microsoft\Windows\Explorer\Keygen.exe"
// Trojan.Unknown(7):
// AutoRun:"winlog.exe","C:\Documents and Settings\Mataza\Application Data\Microsoft\winlog.exe","flagifnofile=1"
AutoRun:"winlog.exe","<$APPDATA>\Microsoft\winlog.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","winlog.exe"
// File:"<$FILE_EXE>","C:\Documents and Settings\Mataza\Application Data\Microsoft\winlog.exe"
File:"<$FILE_EXE>","<$APPDATA>\Microsoft\winlog.exe"
// Trojan.Virtumonde:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0CA2FA2F-4BAF-4CFF-9EB3-C5856AF87F2A}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0CA2FA2F-4BAF-4CFF-9EB3-C5856AF87F2A}"
BrowserHelperEx:"*","filename=xxyaabbb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xxyaabbb.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}"
BrowserHelperEx:"*","filename=tajf83ikdmf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tajf83ikdmf.dll"
// AutoRun:"Cgupoxuxu","rundll32.exe "C:\WINDOWS\Azotepin.dll",e","flagifnofile=1"
AutoRun:"*","<$WINDIR>\Azotepin.dll*","flagifnofile=0"
// AutoRun:"Bpinixa","rundll32.exe "C:\WINDOWS\awiyebiyiniyeta.dll",e","flagifnofile=1"
AutoRun:"*","<$WINDIR>\awiyebiyiniyeta.dll*","flagifnofile=0"
// AutoRun:"ter8m","RUNDLL32.EXE D:\WINDOWS\system32\msxm192z.dll,w ","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\msxm192z.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cgupoxuxu"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Bpinixa"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ter8m"
File:"<$FILE_LIBRARY>","<$WINDIR>\Azotepin.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\awiyebiyiniyeta.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msxm192z.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dpcdll32.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\dpcdll32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kebilaku.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\kebilaku.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\watekaho.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\watekaho.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zoyareja.dll "
File:"<$FILE_WEBPAGE>","<$SYSDIR>\zoyareja.dll "
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","jgmhyy.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\jgmhyy.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$WINDIR>\TEMP\2455sys.dll"
File:"<$FILE_WEBPAGE>","<$WINDIR>\TEMP\2455sys.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","*","DllName=<$SYSDIR>\dpcdll32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpcdll32.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","ghya673gidh87we9inkff","ghya673gidh87we9inkff={BF56A325-23F2-42AD-F4E4-00AAC39CAA53}"
// Aus einem Logfile von ComboFix:
File:"<$FILE_LIBRARY>","<$SYSDIR>\aaxxqrah.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\adqespiy.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\afahlacl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ajiojunm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\alfmssvk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\amxusvia.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\anadfbfc.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\aopmwhic.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\aymkiiyp.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bdtgubfh.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bhfvhmtg.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\brmsdsrn.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\brnrccck.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\bweeoqyx.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\byneuoms.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cbhfrnvp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ccaglpsf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ccalxtgt.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\cfbfdana.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cgxtqglr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cmiwmnnv.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\cnbofviy.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cnudrbve.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cohywbok.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\csjregsr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ctporjdt.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\djaekdud.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\djrkiqak.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dkpuvbtx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dlbyqkud.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmyxwktv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dqlpxbsh.dll"
File:"<$FILE_SERVICE>","<$SYSDIR>\drivers\Qtw71.sys"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dwwrclnk.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\edpaogpv.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\efxrytjr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\enafkckn.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\eswaqejk.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\eueifwyv.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\evnbtjng.dll"
File:"<$FILE_EXE>","<$SYSDIR>\fasd474.exe"
File:"<$FILE_EXE>","<$SYSDIR>\fbdcjwqs.exe"
File:"<$FILE_EXE>","<$SYSDIR>\felbijqh.exe"
File:"<$FILE_EXE>","<$SYSDIR>\fgcflqnr.exe"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\figujfeq.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\fjglclvl.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\fjokofjq.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fkpbjoqv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\florexgy.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fupwewjp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gbfrnqlm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gdoihrwi.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ggwaknbe.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\gtmhvfhb.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\guaqaehh.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gudckhcd.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\gvadptmh.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gwedoaul.dll"
File:"<$FILE_EXE>","<$SYSDIR>\gytlscnw.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hcuowoid.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hhlvtftq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hkmmcclg.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\hmjmkpga.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hmjqdsdc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hmtpdavg.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hnhyusmt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hppxsjfr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hqtkbmdo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hretnapk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hrkhgbsu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hshxqxwg.dll"
File:"<$FILE_EXE>","<$SYSDIR>\hxcaspym.exe"
File:"<$FILE_EXE>","<$SYSDIR>\icfwrdyg.exe"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\iffoqjav.ini"
File:"<$FILE_EXE>","<$SYSDIR>\ighccppb.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ivjrgaqk.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\iyygsmmb.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jbjanurw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jdjcejqe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jhccroyx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jhkmfrfc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jhleoxhn.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\jktgmtwy.ini"
File:"<$FILE_EXE>","<$SYSDIR>\jlpgwjql.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jquaprcl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jsrndygm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jypsykao.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kcccrnrb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\keoclfot.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\khgqcqsy.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kjeqawse.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kmmllndw.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kmwnopau.exe"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\kncstjxm.ini"
File:"<$FILE_EXE>","<$SYSDIR>\kssjmlhp.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ksvevmqr.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\kxxekfeu.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\laehbiwi.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\lbveqexr.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lgreyqao.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lnzfhn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ltlvbkmn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lvlclgjf.dll"
File:"<$FILE_TEMP>","<$SYSDIR>\mcrh.tmp"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\mdceytbi.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\mnqss.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\mnqss.ini2"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\mnujoija.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mxjtscnk.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ndbmvosu.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ntghgsxg.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ocvhepnp.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\oenocgit.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\oislmvmg.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\oqdjxcrp.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\oxikthdj.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\pcctirhh.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pjhynmjg.dll"
File:"<$FILE_EXE>","<$SYSDIR>\pmcgkthk.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pnpehvco.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\prcxjdqo.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\pwguynon.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pyiikmya.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qcwjxjbh.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qdqeccdk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qefjugif.dll"
File:"<$FILE_EXE>","<$SYSDIR>\qgnxiekc.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qjfokojf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qqzdjd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qscfmqlx.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\qssxaigi.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\qtftvlhh.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qyydgcqt.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\rfjsxpph.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rhlxulti.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\rjtyrxfe.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\rnrwrefw.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rxeqevbl.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\saxuydvf.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\scawcdjw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\seaplfgn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sgsbniyh.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sjxjnbiq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\smligldx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sobfiovk.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\soymxmad.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sqfyryex.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssqnm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\stlqvmaw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\stskujhv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sycjudtf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\syjghjjr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tchvfedq.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\tcrouovw.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tdavoxtg.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tdbchfxx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tjfnlw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tjyxwlck.dll"
File:"<$FILE_EXE>","<$SYSDIR>\tmywgjuc.exe"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\tnjmtmto.ini"
File:"<$FILE_EXE>","<$SYSDIR>\tvehcgde.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tvpfwnis.dll"
File:"<$FILE_EXE>","<$SYSDIR>\tvxqosww.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\txevptbj.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uaqexipw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ubsuigiw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uesynebw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uomabuet.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\urxjxgxa.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uwifilgt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vecadsad.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vehinggd.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\vhjuksts.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vidkkaro.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vkjdwssw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vpgoapde.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vywfieue.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\wagtemjq.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wcfsteuf.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\whexcqfa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wifayssa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wisnobgk.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\wjdcwacs.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\wjmlmkbx.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wobackua.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wsfulang.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\wsswdjkv.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wvlsasaf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wvouorct.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wvvohntl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xbkmlmjw.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\xdifhapu.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\xfsryjnh.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xhhbpvyt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xibrfrrq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xjbhginj.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xktasraq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xrvxkbmr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xussfwpi.dll"
File:"<$FILE_EXE>","<$SYSDIR>\yaknsuwe.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yhivtccw.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\yhrifymq.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yiakdnfh.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yivfobnc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ykabjsqt.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ykcneibg.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yoqtxujf.dll"
File:"<$FILE_EXE>","<$SYSDIR>\ypysdilg.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ysqcqghk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ywtmgtkj.dll"
// Worm.Koobface:
// Aus einem Logfile von MBAM:
// C:\WINDOWS\srpira1251855585.eXE
File:"<$FILE_EXE>","<$WINDIR>\srpiral*.exe"
// C:\WINDOWS\vkl_1252597232.exe
// C:\WINDOWS\vkl_1252609899.exe
// C:\WINDOWS\vkl_1252616629.exe
// C:\WINDOWS\vkl_1252617592.exe
// C:\WINDOWS\vkl_1252620006.exe
// C:\WINDOWS\vkl_1252629969.exe
// C:\WINDOWS\vkl_1252726096.exe
// C:\WINDOWS\vkl_1252734417.exe
// C:\WINDOWS\vkl_1252797224.exe
File:"<$FILE_EXE>","<$WINDIR>\vk1_1252*.exe"
// C:\WINDOWS\0101120101464950.xe
// C:\WINDOWS\0101120101465050.xe
// C:\WINDOWS\0101120101465054.xe
// C:\WINDOWS\0101120101465154.xe
File:"<$FILE_DATA>","<$WINDIR>\010112010146*.xe"
New Malware v29
Reply With Quote