Results 1 to 3 of 3

Thread: New Malware v74

  1. 2010-02-25, 20:38 #1
    Matt
    Matt is offline
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default New Malware v74

    I've collected detection rules for the following Malware:
    • Adware.Toolbar888
    • Adware.ZQuest
    • Rootkit.Zbot
    • Security.Microsoft.Windows.RedirectedHosts(2)
    • Spyware.AdRotator
    • Spyware.Spynet
    • Trojan.Agent(2)
    • Trojan.FakeAlert.ttam(2)
    • Trojan.FraudPack
    • Trojan.Rbot
    • Trojan.Swisyn
    • Trojan.Virtumonde(2)
    Category: Trojan
    Code:
    :: New Malware v74
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-02-25}


// Adware.Toolbar888:
BrowserHelperEx:"Bar888","filename=*.dll"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{C1B4DEC2-2623-438e-9CA2-C9043AB28508}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C1B4DEC2-2623-438e-9CA2-C9043AB28508}"
File:"<$FILE_DATA>","<$PROGRAMFILES>\Toolbar888\basis.xml"
File:"<$FILE_DATA>","<$PROGRAMFILES>\Toolbar888\basis.xmlold"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Toolbar888\icons.bmp"
File:"<$FILE_WEBPAGE>","<$PROGRAMFILES>\Toolbar888\installed.html"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Toolbar888\logo.bmp"
File:"<$FILE_DATA>","<$PROGRAMFILES>\Toolbar888\ToolBar888.crc"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Toolbar888\ToolBar888.dll"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\Toolbar888\version.txt"
File:"<$FILE_EXE>","<$COMMONPROGRAMFILES>\InetGet\freeprodtb.exe"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMFILES>\InetGet"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Toolbar888\Cache"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Toolbar888"


// Adware.ZQuest:
// Name Nach McAfee
BrowserHelperEx:"*","filename=DH.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C5AF2622-8C75-4dfb-9693-23AB7686A456}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C5AF2622-8C75-4dfb-9693-23AB7686A456}"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","DH"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","{22131A58-5F9A-3EAA-28A7-C3059A3D0632}"
File:"<$FILE_LIBRARY>","<$WINDIR>\DH.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\dh.ini"
File:"<$FILE_LIBRARY>","<$WINDIR>\DHU.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\z00096.exe"


// Rootkit.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","load=C:\WINDOWS\system32\ddcyx.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","<$SYSDIR>\ddcyx.exe"
NTFile:"<$FILE_EXE>","<$SYSDIR>\ddcyx.exe"


// Security.Microsoft.Windows.RedirectedHosts(1):
// O1 - Hosts: 93.186.119.130 www.google.com
// O1 - Hosts: 93.186.119.130 google.com
// O1 - Hosts: 93.186.119.130 google.com.au
// O1 - Hosts: 93.186.119.130 www.google.com.au
// O1 - Hosts: 93.186.119.130 google.be
// O1 - Hosts: 93.186.119.130 www.google.be
// O1 - Hosts: 93.186.119.130 google.com.br
// O1 - Hosts: 93.186.119.130 www.google.com.br
// O1 - Hosts: 93.186.119.130 google.ca
// O1 - Hosts: 93.186.119.130 www.google.ca
// O1 - Hosts: 93.186.119.130 google.ch
// O1 - Hosts: 93.186.119.130 www.google.ch
// O1 - Hosts: 93.186.119.130 google.de
// O1 - Hosts: 93.186.119.130 www.google.de
// O1 - Hosts: 93.186.119.130 google.dk
// O1 - Hosts: 93.186.119.130 www.google.dk
// O1 - Hosts: 93.186.119.130 google.fr
// O1 - Hosts: 93.186.119.130 www.google.fr
// O1 - Hosts: 93.186.119.130 google.ie
// O1 - Hosts: 93.186.119.130 www.google.ie
// O1 - Hosts: 93.186.119.130 google.it
// O1 - Hosts: 93.186.119.130 www.google.it
// O1 - Hosts: 93.186.119.130 google.co.jp
// O1 - Hosts: 93.186.119.130 www.google.co.jp
// O1 - Hosts: 93.186.119.130 google.nl
// O1 - Hosts: 93.186.119.130 www.google.nl
// O1 - Hosts: 93.186.119.130 google.no
// O1 - Hosts: 93.186.119.130 www.google.no
// O1 - Hosts: 93.186.119.130 google.co.nz
// O1 - Hosts: 93.186.119.130 www.google.co.nz
// O1 - Hosts: 93.186.119.130 google.pl
// O1 - Hosts: 93.186.119.130 www.google.pl
// O1 - Hosts: 93.186.119.130 google.se
// O1 - Hosts: 93.186.119.130 www.google.se
// O1 - Hosts: 93.186.119.130 google.co.uk
// O1 - Hosts: 93.186.119.130 www.google.co.uk
// O1 - Hosts: 93.186.119.130 google.co.za
// O1 - Hosts: 93.186.119.130 www.google.co.za
// O1 - Hosts: 93.186.119.130 www.google-analytics.com
HostRedirect:"google.*","93.186.119.130"
HostRedirect:"*.google.*","93.186.119.130"
HostRedirect:"*.google.*.*","93.186.119.130"
HostRedirect:"*.google-analytics.*","93.186.119.130"
// O1 - Hosts: 93.186.119.130 www.bing.com
HostRedirect:"*.bing.*","93.186.119.130"
// O1 - Hosts: 93.186.119.130 search.yahoo.com
HostRedirect:"search.yahoo.*","93.186.119.130"
// O1 - Hosts: 93.186.119.130 www.search.yahoo.com
// O1 - Hosts: 93.186.119.130 uk.search.yahoo.com
// O1 - Hosts: 93.186.119.130 ca.search.yahoo.com
// O1 - Hosts: 93.186.119.130 de.search.yahoo.com
// O1 - Hosts: 93.186.119.130 fr.search.yahoo.com
// O1 - Hosts: 93.186.119.130 au.search.yahoo.com
HostRedirect:"*.search.yahoo.*","93.186.119.130"


// Security.Microsoft.Windows.RedirectedHosts(2):
// O17 - HKLM\System\CCS\Services\Tcpip\..\{22C5CBE9-856E-4470-9D38-2C4C16AC215F}: NameServer = 93.188.162.103,93.188.166.85
// O17 - HKLM\System\CCS\Services\Tcpip\..\{8C4D0866-5AF1-4E84-8283-525A9F2F3746}: NameServer = 202.96.128.68,61.144.56.101
// O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.103,93.188.166.85
// O17 - HKLM\System\CS2\Services\Tcpip\..\{22C5CBE9-856E-4470-9D38-2C4C16AC215F}: NameServer = 93.188.162.103,93.188.166.85
// O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 93.188.162.103,93.188.166.85
// O17 - HKLM\System\CS5\Services\Tcpip\..\{22C5CBE9-856E-4470-9D38-2C4C16AC215F}: NameServer = 93.188.162.103,93.188.166.85
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.103,93.188.166.85
// O17 - HKLM\System\CCS\Services\Tcpip\..\{AC85187F-77D1-4187-B0EE-AFDA818055FA}: NameServer = 93.188.162.13,93.188.166.82
// O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.13,93.188.166.82
// O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.13,93.188.166.82
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.13,93.188.166.82
// O17 - HKLM\System\CCS\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
// O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
// O17 - HKLM\System\CS1\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
// O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
// O17 - HKLM\System\CS2\Services\Tcpip\..\{814F9DC6-B136-4C46-80D7-EF9191EE6032}: NameServer = 93.188.164.222,93.188.166.43
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.222,93.188.166.43
// O17 - HKLM\System\CCS\Services\Tcpip\..\{2DEFEE5A-8A0F-424D-A752-7F0172937C79}: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CCS\Services\Tcpip\..\{C9D01E95-5D1F-4B9F-AFA3-C252E28C2021}: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CS1\Services\Tcpip\..\{2DEFEE5A-8A0F-424D-A752-7F0172937C79}: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CS2\Services\Tcpip\..\{2DEFEE5A-8A0F-424D-A752-7F0172937C79}: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CCS\Services\Tcpip\..\{0A26BEE9-89F9-4317-B3DC-563D1C3B268E}: NameServer = 93.188.164.208,93.188.161.30
// O17 - HKLM\System\CCS\Services\Tcpip\..\{C2121600-6AEC-4118-9309-068E3C4ACEF5}: NameServer = 93.188.164.208,93.188.161.30
// O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.208,93.188.161.30
// O17 - HKLM\System\CS2\Services\Tcpip\..\{0A26BEE9-89F9-4317-B3DC-563D1C3B268E}: NameServer = 93.188.164.208,93.188.161.30
// O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.164.208,93.188.161.30
// O17 - HKLM\System\CS3\Services\Tcpip\..\{0A26BEE9-89F9-4317-B3DC-563D1C3B268E}: NameServer = 93.188.164.208,93.188.161.30
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.208,93.188.161.30
// O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.62,93.188.161.17
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.62,93.188.161.17
// O17 - HKLM\System\CCS\Services\Tcpip\..\{2DEFEE5A-8A0F-424D-A752-7F0172937C79}: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CCS\Services\Tcpip\..\{C9D01E95-5D1F-4B9F-AFA3-C252E28C2021}: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CS1\Services\Tcpip\..\{2DEFEE5A-8A0F-424D-A752-7F0172937C79}: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CS2\Services\Tcpip\..\{2DEFEE5A-8A0F-424D-A752-7F0172937C79}: NameServer = 93.188.165.100,93.188.161.97
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.100,93.188.161.97


// Spyware.AdRotator:
BrowserHelperEx:"bignetdaddy search enhancer","filename=*.dll"
BrowserHelperEx:"flvdirect","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C6767189-DC76-4059-9273-C2FE472CC0DE}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C6767189-DC76-4059-9273-C2FE472CC0DE}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9cc8ffb0-ebce-7fe5-d5b1-6e39d71e6b92}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9cc8ffb0-ebce-7fe5-d5b1-6e39d71e6b92}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\stikytptsroze.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\x-3bA54_vjwI.dll"


// Spyware.Spynet:
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\install\svchosts.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\install\svchosts.exe
AutoRun:"Policies","<$SYSDIR>\install\svchosts.exe","flagifnofile=1"
// O4 - HKCU\..\Run: [HKCU] C:\WINDOWS\system32\install\svchosts.exe
AutoRun:"HKCU","<$SYSDIR>\install\svchosts.exe","flagifnofile=1"
// AutoRun:"HKLM","C:\WINDOWS\system32\install\svchosts.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\install\svchosts.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
File:"<$FILE_EXE>","<$SYSDIR>\install\svchosts.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\install","filename=svchosts.exe"


// Trojan.Agent(1):
// AutoRun:"asg984jgkfmgasi8ug98jgkfgfb","C:\DOCUME~1\Chrish16\LOCALS~1\Temp\cmd.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\cmd.exe","flagifnofile=1"
// AutoRun:"asg984jgkfmgasi8ug98jgkfgfb","C:\WINDOWS\TEMP\winlogon.exe","flagifnofile=1"
AutoRun:"*","<$WINDIR>\TEMP\winlogon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","asg984jgkfmgasi8ug98jgkfgfb"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\cmd.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\winlogon.exe"


// Trojan.Agent(2):
// AutoRun:"system32","WScript.exe c:\Windows\InetSS\InetSS.vbs","flagifnofile=1"
AutoRun:"system32","<$WINDIR>\InetSS\InetSS.vbs","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","system32"
// File:"<$FILE_EXE>","WScript.exe c:\Windows\InetSS\InetSS.vbs"
File:"<$FILE_DATA>","<$WINDIR>\InetSS\InetSS.vbs"
Directory:"<$DIR_PROG>","<$WINDIR>\InetSS","filename=InetSS.vbs"

// AutoRun:"system32","%Windir%\system32.exe","flagifnofile=1"
AutoRun:"system32","<$WINDIR>\system32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","system32"
// File:"<$FILE_EXE>","%Windir%\system32.exe"
File:"<$FILE_EXE>","<$WINDIR>\system32.exe"

// AutoRun:"syst32","C:\DOKUME~1\ROBIN`~1\LOKALE~1\Temp\syst32.exe","flagifnofile=1"
AutoRun:"syst32","<$LOCALSETTINGS>\Temp\syst32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","syst32"
// File:"<$FILE_EXE>","C:\DOKUME~1\ROBIN`~1\LOKALE~1\Temp\syst32.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\syst32.exe"


// Trojan.FakeAlert.ttam(1):
// Könnte auch Trojan.Ertfor sein, bin mir aber wegen der O4 Einträge nicht sicher
// Die CLSID ist bei den O2 und O22 Einträgen gleich
BrowserHelperEx:"*","filename=g8waera.dll"
BrowserHelperEx:"*","filename=v7hfvni.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A3BA40A2-74F0-42BD-F434-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A3BA40A2-74F0-42BD-F434-00B15A2C8953}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","7whfiudhf8s7f3oifhif7syfdhsof","7whfiudhf8s7f3oifhif7syfdhsof={A3BA40A2-74F0-42BD-F434-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\g8waera.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\v7hfvni.dll"
// AutoRun:"Remote System Protection","rundll32.exe C:\WINDOWS\system32\g8waera.dll, HUI_proc","flagifnofile=1"
// AutoRun:"Remote System Protection","rundll32.exe C:\WINDOWS\system32\v7hfvni.dll, HUI_proc","flagifnofile=1"
AutoRun:"Remote System Protection","<$SYSDIR>\v7hfvni.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Remote System Protection"
// File:"<$FILE_EXE>","rundll32.exe C:\WINDOWS\system32\g8waera.dll, HUI_proc"
// File:"<$FILE_EXE>","rundll32.exe C:\WINDOWS\system32\v7hfvni.dll, HUI_proc"


// Trojan.FakeAlert.ttam(2):
// AutoRun:"net",""C:\DOCUME~1\Jazmin\LOCALS~1\Temp\xsownceram.tmp","flagifnofile=1"
AutoRun:"net","<$LOCALSETTINGS>\Temp\*.tmp","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","net"
// File:"<$FILE_EXE>",""C:\DOCUME~1\Jazmin\LOCALS~1\Temp\xsownceram.tmp"


// Trojan.FraudPack:
// AutoRun:"TOY5KNQ8OC","C:\DOCUME~1\KILLER~1\LOCALS~1\Temp\Idd.exe","flagifnofile=1"
// AutoRun:"TOY5KNQ8OC","C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Qzl.exe","flagifnofile=1"
AutoRun:"TOY5KNQ8OC","<$LOCALSETTINGS>\Temp\???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","TOY5KNQ8OC"
// File:"<$FILE_EXE>","C:\DOCUME~1\KILLER~1\LOCALS~1\Temp\Idd.exe"
// File:"<$FILE_EXE>","C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Qzl.exe"
// AutoRun:"ROUA3O12PW","C:\WINDOWS\msa.exe","flagifnofile=1"
AutoRun:"ROUA3O12PW","<$WINDIR>\???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ROUA3O12PW"
File:"<$FILE_EXE>","<$WINDIR>\msa.exe"


// Trojan.Rbot:
// AutoRun:"Microsoft Windows Hosting Service Login","C:\DOCUME~1\Dylan\LOCALS~1\Temp\explorer.exe","flagifnofile=1"
AutoRun:"Microsoft Windows Hosting Service Login","<$LOCALSETTINGS>\Temp\explorer.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Windows Hosting Service Login"
// File:"<$FILE_EXE>","C:\DOCUME~1\Dylan\LOCALS~1\Temp\explorer.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\explorer.exe"


// Trojan.Swisyn:
// Name nach Kaspersky
// Mehr dazu hier: http://www.threatexpert.com/report.aspx?md5=d9c17c7e5570eaff87f02509e9884101
// Name des Autostarteintrages zusammen mit dem Ordner- und der Dateiname fest
// Das könntet ihr langsam mal aufnehmen ;-)  wird mir langsam zu blöd, wenn ich das seit Wochen in logfiles sehe :-)
// O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Dokumente und Einstellungen\Anne\Anwendungsdaten\SystemProc\lsass.exe
AutoRun:"RTHDBPL","<$APPDATA>\SystemProc\lsass.exe","flagifnofile=0"
Directory:"<$DIR_PROG>","<$APPDATA>\SystemProc","filename=lsass.exe"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=iifcbaa.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iifcbaa.dll"

BrowserHelperEx:"*","filename=ddcyx.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{BC6087DC-87EB-4124-8877-5561F3BA6B0C}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{BC6087DC-87EB-4124-8877-5561F3BA6B0C}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ddcyx.dll"

BrowserHelperEx:"*","filename=tuvibibu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{c7318da1-a834-432d-9d76-15fbe580856e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{c7318da1-a834-432d-9d76-15fbe580856e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tuvibibu.dll"

BrowserHelperEx:"*","filename=iaspolcy32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{03637445-5EA6-453D-8028-4F6BF761A8A1}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{03637445-5EA6-453D-8028-4F6BF761A8A1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iaspolcy32.dll"

BrowserHelperEx:"*","filename=dot3ui32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01B9EB18-D180-49C4-B3C1-BBFFCDF2118f}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01B9EB18-D180-49C4-B3C1-BBFFCDF2118f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dot3ui32.dll"

// AutoRun:"nalasunaj","Rundll32.exe "c:\windows\system32\tisehuza.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\tisehuza.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nalasunaj"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\tisehuza.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"

// AutoRun:"fahedulev","Rundll32.exe "c:\windows\system32\burolage.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\burolage.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fahedulev"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\burolage.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\burolage.dll"

// AutoRun:"gshebhg","rundll32.exe "C:\Users\Nicolas\AppData\Roaming\szzxq.dll",ozytuvhc","flagifnofile=1"
AutoRun:"*","<$APPDATA>\szzxq.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","gshebhg"
// File:"<$FILE_EXE>","rundll32.exe "C:\Users\Nicolas\AppData\Roaming\szzxq.dll",ozytuvhc"
File:"<$FILE_LIBRARY>","<$APPDATA>\szzxq.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\jepeyija.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jepeyija.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","wogozote.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wogozote.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pihovosi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pihovosi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tisehuza.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tudoraku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tudoraku.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","lepujeji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lepujeji.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\gurabimi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gurabimi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\burolage.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\burolage.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","jepazeje.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jepazeje.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\saguzuwi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\saguzuwi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","yekotosu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yekotosu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mcicda32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mcicda32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\audiosrv32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\audiosrv32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","587dd91b810","DllName=<$SYSDIR>\audiosrv32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\audiosrv32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","262916f0729","DllName=<$SYSDIR>\mcicda32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mcicda32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ljJYPfdE","DllName=<$SYSDIR>\ljJYPfdE.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ljJYPfdE.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","iifcbaa","DllName=iifcbaa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iifcbaa.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","efcyWpQG","DllName=efcyWpQG.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\efcyWpQG.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nipisafes","nipisafes={a7cc1f2f-7476-4063-989c-4c74d7ca2ed1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vikehobe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yemipeyup","yemipeyup={e25baae4-8e6b-47b7-8e69-4b5fd9aac1d1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nejagemu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","wadebodej","wadebodej={15f0c806-2e6b-42ca-aa4d-01cea885ac87}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kahevezu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","linefutir","linefutir={c4d58c17-ae3d-4e94-b8bc-b4068293e938}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nikadeho.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","gijejiraf","gijejiraf={1197a962-0689-47d7-a734-f78ce5f88d4b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunayiri.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yorewifig","yorewifig={d85beb43-d8ed-4ef0-b605-2ac411e7f762}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dapotado.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bodenezol","bodenezol={8125378e-ac19-45e6-9dd3-5ca9023de314}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunayiri.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vujafapes","vujafapes={c2ce0175-d75e-4265-8667-164c4d8f65bf}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunayiri.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","mesemawih","mesemawih={c9569449-23c9-480d-ab96-cb376ecb279f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dapotado.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","fayawidup","fayawidup={ecd2e98b-ab02-4642-8e0e-6fd5754ff733}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dapotado.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rafahupuh","rafahupuh={68f186ce-6d31-4c43-a940-d5e6998dc29a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\madipoha.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","mepizasah","mepizasah={2dab26b1-41a3-4e8c-af55-89e5ec5a8ff8}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunayiri.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","dizopefeg","dizopefeg={829b4073-4fd2-4b96-b19f-7d318bae71df}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jojubasa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","zodakifif","zodakifif={7de79d61-606f-4a9e-bd78-3cbfe56fb113}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dapotado.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","sezodares","sezodares={1ec12f0e-908f-461d-b442-1eaab6c2e400}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","venimoler","venimoler={4602db38-b7a2-4bf8-b482-4570be2dec38}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kejilebuw","kejilebuw={54e95371-0d1a-4537-82d8-97036b0833ad}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","puruyofor","puruyofor={de44b957-175a-455d-ae35-cd8bda70b68e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","sepunesuk","sepunesuk={d324d673-6e8d-4b7f-af13-e6c6812e7f83}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tudoraku.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kanupupil","kanupupil={9d978417-b70c-41b2-aead-667454e58017}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\burolage.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={d324d673-6e8d-4b7f-af13-e6c6812e7f83}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tudoraku.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={9d978417-b70c-41b2-aead-667454e58017}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\burolage.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={a7cc1f2f-7476-4063-989c-4c74d7ca2ed1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vikehobe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={e25baae4-8e6b-47b7-8e69-4b5fd9aac1d1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nejagemu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={15f0c806-2e6b-42ca-aa4d-01cea885ac87}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kahevezu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={c4d58c17-ae3d-4e94-b8bc-b4068293e938}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nikadeho.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={1197a962-0689-47d7-a734-f78ce5f88d4b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunayiri.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={d85beb43-d8ed-4ef0-b605-2ac411e7f762}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dapotado.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={8125378e-ac19-45e6-9dd3-5ca9023de314}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunayiri.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={c2ce0175-d75e-4265-8667-164c4d8f65bf}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunayiri.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={c9569449-23c9-480d-ab96-cb376ecb279f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dapotado.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={ecd2e98b-ab02-4642-8e0e-6fd5754ff733}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dapotado.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={68f186ce-6d31-4c43-a940-d5e6998dc29a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\madipoha.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={2dab26b1-41a3-4e8c-af55-89e5ec5a8ff8}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunayiri.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={829b4073-4fd2-4b96-b19f-7d318bae71df}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jojubasa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={7de79d61-606f-4a9e-bd78-3cbfe56fb113}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dapotado.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={1ec12f0e-908f-461d-b442-1eaab6c2e400}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={4602db38-b7a2-4bf8-b482-4570be2dec38}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={54e95371-0d1a-4537-82d8-97036b0833ad}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={de44b957-175a-455d-ae35-cd8bda70b68e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tisehuza.dll"


// Trojan.Virtumonde(2):
File:"<$FILE_LIBRARY>","<$SYSDIR>\fenefezu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\favariki.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jofalasa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gifekuwe.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\tedaboze\tedaboze.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\tedaboze"
    Downloads: 0Rating: 0 (rated by 0 users)
    Reply With Quote Reply With Quote
  2. 2010-02-27, 09:29 #2
    fourte3n
    fourte3n is offline
    Junior Member
    Join Date
    Dec 2007
    Posts
    2

    Default

    Any idea when these files will be open for download. I've opened many of the posts but they all say the same thing.
    Reply With Quote Reply With Quote
  3. 2010-02-27, 15:18 #3
    Matt
    Matt is offline
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Hi fourte3n,

    Quote Originally Posted by fourte3n View Post
    Any idea when these files will be open for download. I've opened many of the posts but they all say the same thing.
    The process looks almost like this:
    • I upload some detection rules to Team Spybot.
    • Some members of Team Spybot analyse my detection rules.
    • If they find detection rules, which aren't already in their database, they take them as far as it is possible under the given circumstances.
    • My detection rules will be released together with the weekly updates.

    One Example:
    I've uploaded #73 and #74 during this week. I hope that Team Spybot will integrate these rules and release them with the next update, scheduled for 3rd of March.

    All previous files from me are already in Spybot's database.
    Best regards - Beste Grüße,

    Matt
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules