Code:
:: New Malware v76
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-03-02}
// Adware.Rond:
File:"<$FILE_EXE>","<$PROGRAMFILES>\Svconr\Svconr.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Csvnro\Csvnro.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Vcsron\Vcsron.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Svconr"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Csvnro"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Vcsron"
// Malware.Fraud.Dr.Guard:
// Siehe #75
// HKEY_LOCAL_MACHINE\SOFTWARE\Dr. Guard
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","Dr. Guard"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dr. Guard
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","Dr. Guard"
// AutoRun:"asr64_ldm.exe","C:\DOCUME~1\Brad\LOCALS~1\Temp\asr64_ldm.exe","flagifnofile=1"
AutoRun:"asr64_ldm.exe","<$LOCALSETTINGS>\Temp\asr64_ldm.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","asr64_ldm.exe"
// File:"<$FILE_EXE>","C:\DOCUME~1\Brad\LOCALS~1\Temp\asr64_ldm.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\asr64_ldm.exe"
// AutoRun:"Dr. Guard",""C:\Program Files\Dr. Guard\drguard.exe" -noscan","flagifnofile=1"
AutoRun:"Dr. Guard","<$PROGRAMFILES>\Dr. Guard\drguard.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Dr. Guard"
// File:"<$FILE_EXE>",""C:\Program Files\Dr. Guard\drguard.exe" -noscan"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Dr. Guard\drguard.exe"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Dr. Guard Support.lnk"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Dr. Guard.lnk"
File:"<$FILE_LINK>","<$QUICKLAUNCH>\Dr. Guard.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Dr. Guard\About.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Dr. Guard\Activate.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Dr. Guard\Buy.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Dr. Guard\Dr. Guard Support.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Dr. Guard\Dr. Guard.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Dr. Guard\Scan.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Dr. Guard\Settings.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Dr. Guard\Update.lnk"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Dr. Guard\about.ico"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Dr. Guard\activate.ico"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Dr. Guard\buy.ico"
File:"<$FILE_DATA>","<$PROGRAMFILES>\Dr. Guard\drg.db"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Dr. Guard\drgext.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Dr. Guard\drghook.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Dr. Guard\drguard.exe"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Dr. Guard\help.ico"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Dr. Guard\scan.ico"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Dr. Guard\settings.ico"
File:"<$FILE_SOUND>","<$PROGRAMFILES>\Dr. Guard\splash.mp3"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Dr. Guard\uninstall.exe"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Dr. Guard\update.ico"
File:"<$FILE_SOUND>","<$PROGRAMFILES>\Dr. Guard\virus.mp3"
Directory:"<$DIR_PROG>","<$PROGRAMS>\Dr. Guard"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Dr. Guard"
// Malware.Fraud.MySecurityWall:
// Zumindest den Autostarteintrag könntet ihr übernehmen ;-)
// AutoRun:"My Security Wall",""C:\ProgramData\137b3bd\MS137b.exe" /s /d","flagifnofile=1"
AutoRun:"My Security Wall","<$COMMONAPPDATA>\*\MS*.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","My Security Wall"
// File:"<$FILE_EXE>",""C:\ProgramData\137b3bd\MS137b.exe" /s /d"
// Malware.Fraud.SpytechSpyAgent:
// AutoRun:"System32","C:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe","flagifnofile=1"
// AutoRun:"","C:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe","flagifnofile=1"
AutoRun:"*","<$PROGRAMFILES>\Spytech Software\Spytech SpyAgent\sysdiag.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","System32"
// File:"<$FILE_EXE>","C:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Spytech Software\Spytech SpyAgent\sysdiag.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Spytech Software\Spytech SpyAgent"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Spytech Software"
// Malware.Fraud.Sysguard:
// AutoRun:"uqkcvoer","C:\Documents and Settings\Catherine Carruth\Local Settings\Application Data\igjyof\axsysftav.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","uqkcvoer"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","uqkcvoer"
// File:"<$FILE_EXE>","C:\Documents and Settings\Catherine Carruth\Local Settings\Application Data\igjyof\axsysftav.exe"
// Malware.Fraud.WindowsSecurityCenter:
// AutoRun:"Windows Security Center","C:\Documents and Settings\kevin.AMCHM9ZVK1\Application Data\svchost.exe","flagifnofile=1"
AutoRun:"Windows Security Center","<$APPDATA>\svchost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Security Center"
// File:"<$FILE_EXE>","C:\Documents and Settings\kevin.AMCHM9ZVK1\Application Data\svchost.exe"
File:"<$FILE_EXE>","<$APPDATA>\svchost.exe"
// PUPS.FastBrowserSearch.Protection:
// Bin mir nicht sicher, ob ihr diese Variante auch schon habt !? :-)
AutoRun:"FBSearch","<$PROGRAMFILES>\Fast Browser SearchP\FastBrowserSearchProtection.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","FBSearch"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Fast Browser SearchP\FastBrowserSearchProtection.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Fast Browser SearchP"
// Spyware.AdRotator:
// BrowserHelperEx:"SmartAds browser enhancer kskyqoun","flagfile=1"
BrowserHelperEx:"SmartAds browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6DC5351F-A116-4710-9321-EC0A9BB42EF2}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6DC5351F-A116-4710-9321-EC0A9BB42EF2}"
// C:\WINDOWS\system32\kskyqoun.dll
File:"<$FILE_LIBRARY>","<$SYSDIR>\kskyqoun.dll"
// BrowserHelperEx:"gooochi browser enhancer","flagfile=1"
BrowserHelperEx:"gooochi browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C0D82CE0-8F8D-E7DE-D7D5-ED740DAF963E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C0D82CE0-8F8D-E7DE-D7D5-ED740DAF963E}"
// C:\WINDOWS\system32\qyqaiodrrh.dll
File:"<$FILE_LIBRARY>","<$SYSDIR>\qyqaiodrrh.dll"
// AutoRun:"mxewotslwpisivzhr","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\qyqaiodrrh.dll"","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\qyqaiodrrh.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","mxewotslwpisivzhr"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\qyqaiodrrh.dll""
// BrowserHelperEx:"ezLife browser enhancer vqufkkbj","flagfile=1"
BrowserHelperEx:"ezLife browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{CD3FB1DC-C2D3-426C-A2DA-F5BCAAFA5F6E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{CD3FB1DC-C2D3-426C-A2DA-F5BCAAFA5F6E}"
// C:\WINDOWS\system32\vqufkkbj.dll
File:"<$FILE_LIBRARY>","<$SYSDIR>\vqufkkbj.dll"
// Spyware.Marcetscore.RelevantKnowledge:
// Kann es sein, dass ihr das noch nicht habt? Spybot findet das nämlich nicht (Laut aktuellem Scanbericht eines Users), befindet sich aber im HJT logfile!
// RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","c:\program,files\relevantknowledge\rlai.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDRIVE>\program,files\relevantknowledge\rlai.dll"
// File:"<$FILE_WEBPAGE>","c:\program,files\relevantknowledge\rlai.dll"
File:"<$FILE_LIBRARY>","<$SYSDRIVE>\program,files\relevantknowledge\rlai.dll"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\program,files\relevantknowledge"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\program,files"
// Spyware.Spynet:
// Neuer Name des Autostarteintrages!
// AutoRun:"HKLMWINLOGON","C:\WINDOWS\System32\install\server.exe","flagifnofile=1"
AutoRun:"HKLMWINLOGON","<$SYSDIR>\install\server.exe","flagifnofile=1"
// AutoRun:"HKCUWINUPDRUN","C:\WINDOWS\System32\install\server.exe","flagifnofile=1"
AutoRun:"HKCUWINUPDRUN","<$SYSDIR>\install\server.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLMWINLOGON"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCUWINUPDRUN"
File:"<$FILE_EXE>","<$SYSDIR>\install\server.exe"
// Trojan.Agent:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\Windows\system32\userinit.exe,C:\Program Files\wininit.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROGRAMFILES>\wininit.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\wininit.exe"
// Trojan.Autorun:
// AutoRun:"Windows Driver Manager","C:\WINDOWS\system32\wfmngr.exe","flagifnofile=1"
AutoRun:"Windows Driver Manager","<$SYSDIR>\wfmngr.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Driver Manager"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\wfmngr.exe"
File:"<$FILE_EXE>","<$SYSDIR>\wfmngr.exe"
// O4 - HKCU\..\Policies\Explorer\Run: [Java micro kernel] C:\WINDOWS\system32\wupmgr.exe
// AutoRun:"Java micro kernel","C:\WINDOWS\system32\wupmgr.exe","flagifnofile=1"
AutoRun:"Java micro kernel","<$SYSDIR>\wupmgr.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Java micro kernel"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\wupmgr.exe"
File:"<$FILE_EXE>","<$SYSDIR>\wupmgr.exe"
// Trojan.Banload:
// AutoRun:"WINLOAD","C:\WINDOWS\system32\winupd\winupdate.exe","flagifnofile=1"
AutoRun:"WINLOAD","<$SYSDIR>\winupd\winupdate.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WINLOAD"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\winupd\winupdate.exe"
File:"<$FILE_EXE>","<$SYSDIR>\winupd\winupdate.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\winupd","filename=winupdate.exe"
// Trojan.FakeAlert.ttam:
// AutoRun:"sysinfo","c:\windows\system32\rundll32.exe c:\users\john\appdata\local\temp\6670805261Wsy.dll,Sets","flagifnofile=1"
AutoRun:"sysinfo","<$LOCALAPPDATA>\temp\*Wsy.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysinfo"
// File:"<$FILE_EXE>","c:\windows\system32\rundll32.exe c:\users\john\appdata\local\temp\6670805261Wsy.dll,Sets"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\temp\*Wsy.dll"
// Trojan.Virtumonde(1):
// Neuer Pfad commonappdata auch als O20, O21 und O22 Eintrag!!!
BrowserHelperEx:"*","filename=fdWNet32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01EF7766-4A75-4D8B-82A9-CDA4B00AA362}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01EF7766-4A75-4D8B-82A9-CDA4B00AA362}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fdWNet32.dll"
// AutoRun:"Bzexerofib","rundll32.exe "C:\WINDOWS\apazayuj.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\apazayuj.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Bzexerofib"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\apazayuj.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\apazayuj.dll"
// AutoRun:"wodafinub","Rundll32.exe "c:\windows\system32\dasofupu.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\dasofupu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wodafinub"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\dasofupu.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dasofupu.dll"
// AutoRun:"ljiggfsys","rundll32.exe "xxvtrr.dll",DllRegisterServer","flagifnofile=1"
// AutoRun:"hgfedcsys","rundll32.exe "xxvtrr.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\xxvtrr.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ljiggfsys"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","hgfedcsys"
// File:"<$FILE_EXE>","rundll32.exe "xxvtrr.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xxvtrr.dll"
// AutoRun:"ddayyxdrv","rundll32.exe "qomnnm.dll",s","flagifnofile=1"
// AutoRun:"pmkhihdrv","rundll32.exe "qomnnm.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\qomnnm.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ddayyxdrv"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","pmkhihdrv"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mlifcydrv"
// File:"<$FILE_EXE>","rundll32.exe "qomnnm.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qomnnm.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ganafihe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ganafihe.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dasofupu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dasofupu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","fuhaleke.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fuhaleke.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dmcompos32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmcompos32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vafuzewe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vafuzewe.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","bagahone.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bagahone.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wevetora.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wevetora.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","hufizakug","hufizakug={6e322b6b-5d4b-41c0-86e8-e15f898a8426}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ganafihe.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nemaporun","nemaporun={8e663e01-6bf8-4f1e-917f-9776b1d71a48}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dasofupu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bopigabat","bopigabat={5f5121a2-57bf-49d2-bcf8-67491d8020c7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vafuzewe.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yumadawir","yumadawir={c84ebf32-3b8c-4d18-a081-736a4086f85d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wevetora.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={5f5121a2-57bf-49d2-bcf8-67491d8020c7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vafuzewe.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={c84ebf32-3b8c-4d18-a081-736a4086f85d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wevetora.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={6e322b6b-5d4b-41c0-86e8-e15f898a8426}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ganafihe.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={8e663e01-6bf8-4f1e-917f-9776b1d71a48}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dasofupu.dll"
// Trojan.Virtumonde(2):
// Aus einem Logfile von ComboFix
File:"<$FILE_LIBRARY>","<$SYSDIR>\ketowero.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hemudapa.dll"
File:"<$FILE_TEMP>","<$SYSDIR>\howivuti.dll.tmp"
File:"<$FILE_TEMP>","<$SYSDIR>\sujegaru.dll.tmp"
File:"<$FILE_LIBRARY>","<$SYSDIR>\metitalu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bibegipe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dezuzara.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kefazuwa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yojapuye.dll"
File:"<$FILE_TEMP>","<$SYSDIR>\nazofafo.dll.tmp"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gutenadu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kupageli.dll"
// Trojan.Zlob:
// O17 - HKLM\System\CCS\Services\Tcpip\..\{CC8C887D-B6E4-4792-B032-D79E476190B1}: NameServer = 93.188.163.219,93.188.161.25
New Malware v76
Reply With Quote