New Malware v77

**Matt** · 2010-03-02, 18:56

I've collected detection rules for the following Malware:

Malware.Fraud.Sysguard
Trojan.Agent
Trojan.Fraudpack
Trojan.Matcash
Trojan.Virtumonde(3)
Trojan.Zlob

Category: Trojan

Code:

:: New Malware v77
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matthias,2010-03-02}


// Malware.Fraud.Sysguard:
// AutoRun:"osdsewdv","C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\jbmavr\sfxssftav.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","osdsewdv"
// File:"<$FILE_EXE>","C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\jbmavr\sfxssftav.exe"
// AutoRun:"osdsewdv","C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\jbmavr\sfxssftav.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","osdsewdv"
// File:"<$FILE_EXE>","C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\jbmavr\sfxssftav.exe"
// AutoRun:"lmrlbhvu","C:\Documents and Settings\Mrs. Boehm\Local Settings\Application Data\qkxgts\jseusftav.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","lmrlbhvu"
// File:"<$FILE_EXE>","C:\Documents and Settings\Mrs. Boehm\Local Settings\Application Data\qkxgts\jseusftav.exe"


// Trojan.Agent:
// Siehe Trojan.Agent(1) aus #73
// AutoRun:"asg984jgkfmgasi8ug98jgkfgfb","C:\DOCUME~1\OWNER~1.EDD\LOCALS~1\Temp\nvsvc32.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\nvsvc32.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","asg984jgkfmgasi8ug98jgkfgfb"
// File:"<$FILE_EXE>","C:\DOCUME~1\OWNER~1.EDD\LOCALS~1\Temp\nvsvc32.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\nvsvc32.exe"


// Trojan.Fraudpack:
// Befindet sich unter localappdata und localsettings
// AutoRun:"TOY5KNQ8OC","c:\users\cloud\appdata\local\temp\Vd1.exe","flagifnofile=1"
AutoRun:"TOY5KNQ8OC","<$LOCALAPPDATA>\temp\???.exe","flagifnofile=1"
AutoRun:"TOY5KNQ8OC","<$LOCALSETTINGS>\temp\???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","TOY5KNQ8OC"
// File:"<$FILE_EXE>","c:\users\cloud\appdata\local\temp\Vd1.exe"


// Trojan.Matcash:
// AutoRun:"gadcom",""C:\Documents and Settings\Compaq_Owner\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A","flagifnofile=1"
AutoRun:"gadcom","<$APPDATA>\gadcom\gadcom.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","gadcom"
// File:"<$FILE_EXE>",""C:\Documents and Settings\Compaq_Owner\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A"
File:"<$FILE_EXE>","<$APPDATA>\gadcom\gadcom.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\gadcom"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=wemipipo.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4c36d8ac-2817-465b-ba90-4c967f99f22d}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4c36d8ac-2817-465b-ba90-4c967f99f22d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wemipipo.dll"

BrowserHelperEx:"*","filename=byxYpOiI.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5DF4F51F-4FD8-4A98-BEFD-BD78E1419B47}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5DF4F51F-4FD8-4A98-BEFD-BD78E1419B47}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\byxYpOiI.dll"

BrowserHelperEx:"*","filename=nelesoye.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{55b5c9e4-1dfb-451f-864b-75352d1a264c}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{55b5c9e4-1dfb-451f-864b-75352d1a264c}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nelesoye.dll"

BrowserHelperEx:"*","filename=jasamohu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{e04f2050-d675-453f-8855-014cb062ba9f}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{e04f2050-d675-453f-8855-014cb062ba9f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jasamohu.dll"

// AutoRun:"tiyosolun","Rundll32.exe "c:\windows\system32\jiwusomo.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\jiwusomo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tiyosolun"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\jiwusomo.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jiwusomo.dll"

// AutoRun:"gopetipamu","Rundll32.exe "dugabise.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\dugabise.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","gopetipamu"
// File:"<$FILE_EXE>","Rundll32.exe "dugabise.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dugabise.dll"

// AutoRun:"hosepubif","Rundll32.exe "c:\windows\system32\zomumuzo.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\zomumuzo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","hosepubif"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\zomumuzo.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zomumuzo.dll"

// AutoRun:"Uzojajelehe","rundll32.exe "c:\windows\ejawoluwar.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ejawoluwar.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Uzojajelehe"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\ejawoluwar.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ejawoluwar.dll"

// AutoRun:"vovubabad","Rundll32.exe "c:\progra~3\pijihaje\pijihaje.dll",a","flagifnofile=1"
AutoRun:"*","<$COMMONAPPDATA>\pijihaje\pijihaje.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vovubabad"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","vovubabad"
// File:"<$FILE_EXE>","Rundll32.exe "c:\progra~3\pijihaje\pijihaje.dll",a"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\pijihaje\pijihaje.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\pijihaje"


// Trojan.Virtumonde(2):
// Diesen Autostarteintrag hatten wir schon zweimal, bitte aufnehmen!
// AutoRun:"Remote System Protection","rundll32.exe C:\WINDOWS\system32\o6339e9hl.dll, HUI_proc","flagifnofile=1"
AutoRun:"Remote System Protection","<$SYSDIR>\*.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Remote System Protection"
// File:"<$FILE_EXE>","rundll32.exe C:\WINDOWS\system32\o6339e9hl.dll, HUI_proc"
File:"<$FILE_LIBRARY>","<$SYSDIR>\o6339e9hl.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mawuwaha.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mawuwaha.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","gerizoha.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gerizoha.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\jiwusomo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jiwusomo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","pcmodo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pcmodo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","gadibure.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gadibure.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\loseteni.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\loseteni.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\gademoma.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gademoma.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\jinuwayi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jinuwayi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\denekilo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\denekilo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ralasife.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ralasife.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","pozofohu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pozofohu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rezizafo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rezizafo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mohafilu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mohafilu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\lojafuyu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lojafuyu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hewubure.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hewubure.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kukeyuwi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kukeyuwi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\fiduzuku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fiduzuku.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\simunayi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\simunayi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zomumuzo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zomumuzo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$COMMONAPPDATA>\peheduke\peheduke.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\peheduke\peheduke.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$COMMONAPPDATA>\pijihaje\pijihaje.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\pijihaje\pijihaje.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$COMMONAPPDATA>\fapavifa\fapavifa.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\fapavifa\fapavifa.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$COMMONAPPDATA>\pirovowi\pirovowi.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\pirovowi\pirovowi.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","1f4fab7c517","DllName=<$SYSDIR>\cabinet32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cabinet32.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","fetelebod","fetelebod={cbb90d19-a72b-45db-b1e0-5659917bd997}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mawuwaha.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","togusukit","togusukit={00b3ac07-420e-4336-ab3b-742cad81dd90}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jiwusomo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","hividoziz","hividoziz={a9eb10a1-4b14-45e1-9539-68e2b73c08de}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yewuwazi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","mubejufur","mubejufur={e1a9aef7-8fe0-4d76-9c34-fd08da478c6e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\loseteni.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","lazotipes","lazotipes={a535cd91-2a25-4554-a5dc-a88536f392d1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\denekilo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nimovasel","nimovasel={69179f56-4f5f-4f8c-a971-74c7ca6d0314}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ralasife.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","befupavuf","befupavuf={935f3a8e-ec75-417c-85a0-730591779f48}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rezizafo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","jowehofur","jowehofur={8321895e-c80b-4234-b1f6-93e0143afc47}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mohafilu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","woparufah","woparufah={abaf0e64-4def-4567-9522-85ebf395ec2a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lojafuyu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","tayelizek","tayelizek={2233709a-96a6-4694-b775-4237126be01f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hewubure.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vawukalid","vawukalid={5c0b92f5-b50c-4639-93ae-aab0b80338a3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kukeyuwi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","jeguremen","jeguremen={3c702ad5-aaea-4af3-ad1c-18fa16d461f1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fiduzuku.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kalurumed","kalurumed={bf4d8f92-1eef-408d-a610-9ff7bc01fb16}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\simunayi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yidehopod","yidehopod={1b02be5a-297a-45a4-b431-48780454aeae}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zomumuzo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","tanenobem","tanenobem={62806fb3-652d-47fd-b16b-e393218dab03}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\fapavifa\fapavifa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nodigutub","nodigutub={e49f8c47-68d1-4960-99e4-61b0eb5243b1}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\pijihaje\pijihaje.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={62806fb3-652d-47fd-b16b-e393218dab03}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\fapavifa\fapavifa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={e49f8c47-68d1-4960-99e4-61b0eb5243b1}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\pijihaje\pijihaje.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={a9eb10a1-4b14-45e1-9539-68e2b73c08de}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yewuwazi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={e1a9aef7-8fe0-4d76-9c34-fd08da478c6e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\loseteni.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={a535cd91-2a25-4554-a5dc-a88536f392d1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\denekilo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={69179f56-4f5f-4f8c-a971-74c7ca6d0314}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ralasife.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={935f3a8e-ec75-417c-85a0-730591779f48}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rezizafo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={8321895e-c80b-4234-b1f6-93e0143afc47}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mohafilu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={abaf0e64-4def-4567-9522-85ebf395ec2a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lojafuyu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={2233709a-96a6-4694-b775-4237126be01f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hewubure.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={5c0b92f5-b50c-4639-93ae-aab0b80338a3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kukeyuwi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={3c702ad5-aaea-4af3-ad1c-18fa16d461f1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fiduzuku.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={bf4d8f92-1eef-408d-a610-9ff7bc01fb16}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\simunayi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={1b02be5a-297a-45a4-b431-48780454aeae}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zomumuzo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={cbb90d19-a72b-45db-b1e0-5659917bd997}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mawuwaha.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={00b3ac07-420e-4336-ab3b-742cad81dd90}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jiwusomo.dll"


// Trojan.Virtumonde(3):
// Aus einem Logfile von DDS
File:"<$FILE_LIBRARY>","<$SYSDIR>\fiwupaga.dll"


// Trojan.Zlob:
// O17 - HKLM\System\CCS\Services\Tcpip\..\{2F93A067-1B6A-43FE-91A3-E5FCB419328C}: NameServer = 93.188.163.34,93.188.161.95
// O17 - HKLM\System\CCS\Services\Tcpip\..\{B4437D65-CD9A-4BDD-92ED-7ED3C363ECCF}: NameServer = 93.188.163.34,93.188.161.95
// O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.34,93.188.161.95
// O17 - HKLM\System\CS1\Services\Tcpip\..\{2F93A067-1B6A-43FE-91A3-E5FCB419328C}: NameServer = 93.188.163.34,93.188.161.95
// O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.34,93.188.161.95
// O17 - HKLM\System\CS3\Services\Tcpip\..\{2F93A067-1B6A-43FE-91A3-E5FCB419328C}: NameServer = 93.188.163.34,93.188.161.95
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.34,93.188.161.95
// O17 - HKLM\System\CCS\Services\Tcpip\..\{F28DBBCE-5016-40AF-B3A7-E2B0DBF7575B}: NameServer = 93.188.162.172,93.188.166.21
// O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.172,93.188.166.21
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.172,93.188.166.21
// O17 - HKLM\System\CCS\Services\Tcpip\..\{15717262-C44B-43C1-B0F5-6CC10C5728FA}: NameServer = 93.188.163.32,93.188.166.77
// O17 - HKLM\System\CS1\Services\Tcpip\..\{15717262-C44B-43C1-B0F5-6CC10C5728FA}: NameServer = 93.188.163.32,93.188.166.77
// O17 - HKLM\System\CS2\Services\Tcpip\..\{15717262-C44B-43C1-B0F5-6CC10C5728FA}: NameServer = 93.188.163.32,93.188.166.77

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v77

Thread Tools

Display

New Malware v77

Posting Permissions