New Malware v78

**Matt** · 2010-03-04, 14:06

I've collected detection rules for the following Malware:

Malware.Ascentive.SpywareStriker
Malware.Fraud.FastAntivirus2009
Malware.Fraud.FakeAntivir
Malware.Fraud.ControlManager
Malware.Fraud.PersonalSecurity
Malware.Fraud.PrivacyControl
Malware.Fraud.XPAntivirus
Malware.Virut
Rootkit.TDSS
Rootkit.Zbot
Security.Microsoft.Windows.RedirectedHosts
Trojan.Adload
Trojan.Agent(3)
Trojan.Calper
Trojan.FakeAlert.ttam
Trojan.Fraudpack.F5JMWNZTHI
Trojan.SpyEye
Trojan.Virtumonde(2)
Trojan.Zlob

Category: Trojan

Code:

:: New Malware v78
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matthias,2010-03-04}


// Malware.Ascentive.SpywareStriker:
// AutoRun:"Spyware Striker Pro","C:\Program Files\Ascentive\Spyware Striker\SpywareStriker.exe -m","flagifnofile=1"
AutoRun:"Spyware Striker Pro","<$PROGRAMFILES>\Ascentive\Spyware Striker\SpywareStriker.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Spyware Striker Pro"
// File:"<$FILE_EXE>","C:\Program Files\Ascentive\Spyware Striker\SpywareStriker.exe -m"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Ascentive\Spyware Striker\SpywareStriker.exe"
// AutoRun:"Spyware Striker Pro - Definitions Updater","C:\Program Files\Ascentive\Spyware Striker\SPSDefsUpdater.exe -m","flagifnofile=1"
AutoRun:"Spyware Striker Pro - Definitions Updater","<$PROGRAMFILES>\Ascentive\Spyware Striker\SPSDefsUpdater.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Spyware Striker Pro - Definitions Updater"
// File:"<$FILE_EXE>","C:\Program Files\Ascentive\Spyware Striker\SPSDefsUpdater.exe -m"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Ascentive\Spyware Striker\SPSDefsUpdater.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Ascentive\Spyware Striker"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Ascentive"


// Malware.Fraud.FastAntivirus2009:
// Zumindest den AutoRun könnte man übernehmen ;-)
AutoRun:"Fast Antivirus 2009","<$COMMONAPPDATA>\*\*.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Fast Antivirus 2009"
// File:"<$FILE_EXE>",""C:\ProgramData\9d7f3e9\EX9d7f.exe" /s /d"


// Malware.Fraud.FakeAntivir:
// AutoRun:"AV","C:\Program Files\AV\Antivir.exe","flagifnofile=1"
AutoRun:"AV","<$PROGRAMFILES>\AV\Antivir.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","AV"
// File:"<$FILE_EXE>","C:\Program Files\AV\Antivir.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\AV\Antivir.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\AV"


// Malware.Fraud.ControlManager:
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Control Manager
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","Control Manager"
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
// %AppData%\Control Manager\ccagent.exe
AutoRun:"*","<$APPDATA>\Control Manager\ccagent.exe","flagifnofile=0"
File:"<$FILE_EXE>","<$APPDATA>\Control Manager\ccagent.exe"
File:"<$FILE_EXE>","<$APPDATA>\Control Manager\ccmain.exe"
File:"<$FILE_EXE>","<$APPDATA>\Control Manager\ccagent.exe"
File:"<$FILE_EXE>","<$APPDATA>\Control Manager\ccmain.exe"
File:"<$FILE_WEBPAGE>","<$APPDATA>\Control Manager\faq\guide.html"
File:"<$FILE_PICTURE>","<$APPDATA>\Control Manager\faq\images\[digits ??-??].png"
File:"<$FILE_CONFIGURATION>","<$APPDATA>\Control Manager\settings.ini"
File:"<$FILE_EXE>","<$APPDATA>\Control Manager\uninstall.exe"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Control Manager.lnk"
Directory:"<$DIR_PROG>","<$APPDATA>\Control Manager\faq"
Directory:"<$DIR_PROG>","<$APPDATA>\Control Manager"


// Malware.Fraud.PersonalSecurity:
BrowserHelperEx:"%26Security Update","filename=win32extension.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C73FD00D-A099-405C-92B4-8997710D187D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C73FD00D-A099-405C-92B4-8997710D187D}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\win32extension.dll"
// Neuer Pfad wegen "PersSecurity" ?
// AutoRun:"PersSecurity","C:\Program Files\PersSecurity\psecurity.exe","flagifnofile=1"
AutoRun:"PersSecurity","<$PROGRAMFILES>\PersSecurity\psecurity.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","PersSecurity"
// File:"<$FILE_EXE>","C:\Program Files\PersSecurity\psecurity.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\PersSecurity\psecurity.exe"


// Malware.Fraud.PrivacyControl:
// HKEY_LOCAL_MACHINE\SOFTWARE\PrivacyControl
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","PrivacyControl"
// HKEY_CURRENT_USER\SOFTWARE\PrivacyControl
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","PrivacyControl"
// HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\privacycontrol
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","PrivacyControl"
File:"<$FILE_DESKTOPLINK>","<$COMMONDESKTOP>\PrivacyControl.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\PrivacyControl\PrivacyControl.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\PrivacyControl\PrivacyControl on the Web.lnk"
File:"<$FILE_DATA>","<$APPDATA>\PrivacyControl\Settings\Settings.stg"
File:"<$FILE_DATA>","<$APPDATA>\PrivacyControl\Settings\SelectedFolders.stg"
File:"<$FILE_DATA>","<$APPDATA>\PrivacyControl\Settings\ScanInfo.stg"
File:"<$FILE_DATA>","<$APPDATA>\PrivacyControl\Settings\IgnoreList.stg"
File:"<$FILE_DATA>","<$APPDATA>\PrivacyControl\Settings\CustomScan.stg"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\PrivacyControl\PrivacyShell.dll"
File:"<$FILE_WEBPAGE>","<$PROGRAMFILES>\PrivacyControl\PrivacyControl.url"
File:"<$FILE_EXE>","<$PROGRAMFILES>\PrivacyControl\PrivacyControl.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\PrivacyControl\Launcher.exe"
File:"<$FILE_DATA>","<$PROGRAMFILES>\PrivacyControl\DataBase.ref"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\PrivacyControl"
Directory:"<$DIR_PROG>","<$APPDATA>\PrivacyControl\Log"
Directory:"<$DIR_PROG>","<$APPDATA>\PrivacyControl\Settings"
Directory:"<$DIR_PROG>","<$APPDATA>\PrivacyControl"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\PrivacyControl"


// Malware.Fraud.XPAntivirus:
// AutoRun:"e©ùýùàûïÕóÎÇøøÈøôþÊýíñûÊÞó","c:\program files\xp antivirus\xpa.exe","flagifnofile=1"
AutoRun:"*","<$PROGRAMFILES>\xp antivirus\xpa.exe","flagifnofile=0"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","e©ùýùàûïÕóÎÇøøÈøôþÊýíñûÊÞó"
// File:"<$FILE_EXE>","c:\program files\xp antivirus\xpa.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\xp antivirus\xpa.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\xp antivirus"


// Malware.Virut:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","load=C:\WINDOWS\fonts\services.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","<$WINDIR>\fonts\services.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","run","run=C:\WINDOWS\fonts\services.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","run","<$WINDIR>\fonts\services.exe"
File:"<$FILE_EXE>","<$WINDIR>\fonts\services.exe"
// AutoRun:"reader_s","C:\WINDOWS\System32\reader_s.exe","flagifnofile=1"
AutoRun:"reader_s","<$SYSDIR>\reader_s.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","reader_s"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\reader_s.exe"
File:"<$FILE_EXE>","<$SYSDIR>\reader_s.exe"
// O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\fonts\services.exe
AutoRun:"exec","<$WINDIR>\fonts\services.exe","flagifnofile=1"


// Rootkit.TDSS:
// C:\WINDOWS\_VOID<random>\
// C:\WINDOWS\_VOID<random>\_VOIDd.sys
// C:\WINDOWS\system32\drivers\_VOID<random>.sys
// C:\WINDOWS\system32\drivers\UAC<random>.sys
// C:\WINDOWS\system32\UAC<random>.dll
// C:\WINDOWS\system32\uacinit.dll
// C:\WINDOWS\system32\UAC<random>.db
// C:\WINDOWS\system32\UAC<random>.dat
// C:\WINDOWS\system32\uactmp.db
// C:\WINDOWS\system32\_VOID<random>.dll
// C:\WINDOWS\system32\_VOID<random>.dat
// C:\WINDOWS\Temp\_VOID<random>tmp
// C:\WINDOWS\Temp\UAC<random>.tmp
// %Temp%\UAC<random>.tmp
// %Temp%\_VOID<random>.tmp
// C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID<random>
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys


// Rootkit.Zbot:
// AutoRun:"userinit","C:\WINDOWS\system32\ntos.exe","flagifnofile=1"
AutoRun:"userinit","<$SYSDIR>\ntos.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","userinit"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\ntos.exe"
NTFile:"<$FILE_EXE>","<$SYSDIR>\ntos.exe"
// siehe auch hier: http://www.systemlookup.com/Startup/21015-essledv_exe.html
AutoRun:"ttool","<$WINDIR>\essledv.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ttool"
NTFile:"<$FILE_EXE>","<$WINDIR>\essledv.exe"


// Security.Microsoft.Windows.RedirectedHosts:
// O1 - Hosts: 89.149.210.60 www.google.com
// O1 - Hosts: 89.149.210.60 www.google.de
// O1 - Hosts: 89.149.210.60 www.google.fr
// O1 - Hosts: 89.149.210.60 www.google.co.uk
// O1 - Hosts: 89.149.210.60 www.google.com.br
// O1 - Hosts: 89.149.210.60 www.google.co.jp
// O1 - Hosts: 89.149.210.60 www.google.com.mx
// O1 - Hosts: 89.149.210.60 www.google.gr
// O1 - Hosts: 89.149.210.60 www.google.se
// O1 - Hosts: 89.149.210.60 www.google.it
// O1 - Hosts: 89.149.210.60 www.google.dk
// O1 - Hosts: 89.149.210.60 www.google.ie
// O1 - Hosts: 89.149.210.60 www.google.fi
// O1 - Hosts: 89.149.210.60 www.google.ca
// O1 - Hosts: 89.149.210.60 www.google.com.au
// O1 - Hosts: 89.149.210.60 www.google.co.za
// O1 - Hosts: 89.149.210.60 www.google.be
// O1 - Hosts: 89.149.210.60 www.google.at
// O1 - Hosts: 89.149.210.60 www.google.no
// O1 - Hosts: 89.149.210.60 www.google.ch
// O1 - Hosts: 89.149.210.60 www.google.pt
HostRedirect:"*.google.*","89.149.210.60"
HostRedirect:"*.google.*.*","89.149.210.60"
// O1 - Hosts: 89.149.210.60 search.yahoo.com
HostRedirect:"search.yahoo.*","89.149.210.60"
// O1 - Hosts: 89.149.210.60 us.search.yahoo.com
// O1 - Hosts: 89.149.210.60 uk.search.yahoo.com
HostRedirect:"*.search.yahoo.com","89.149.210.60"


// Trojan.Adload:
// Name nach Kaspersky
// Siehe auch hier: http://www.systemlookup.com/Startup/3041-Drmupgds_exe.html
// AutoRun:"Drmupgds","C:\Program Files\Drmupgds\Drmupgds.exe","flagifnofile=1"
AutoRun:"Drmupgds","<$PROGRAMFILES>\Drmupgds\Drmupgds.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Drmupgds"
// File:"<$FILE_EXE>","C:\Program Files\Drmupgds\Drmupgds.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Drmupgds\Drmupgds.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Drmupgds"


// Trojan.Agent(1):
// Name nach SuperAntiSpyware, siehe hier: http://www.superantispyware.com/malwarefiles/UPDATECHECK.DLL.html
BrowserHelperEx:"%26UpdateCheck.dll","filename=UpdateCheck.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{23EF1F0F-1CBF-4D5E-86B6-5669F9E55A09}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{23EF1F0F-1CBF-4D5E-86B6-5669F9E55A09}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\UpdateCheck.dll"


// Trojan.Agent(2):
// Siehe auch hier: http://www.systemlookup.com/Startup/21766-userini_exe.html
// AutoRun:"userini","C:\WINDOWS\system32\userini.exe","flagifnofile=1"
AutoRun:"userini","<$SYSDIR>\userini.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","userini"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\userini.exe"
File:"<$FILE_EXE>","<$SYSDIR>\userini.exe"
// Siehe auch hier: http://www.systemlookup.com/Startup/21745-SyncMan_exe.html
// AutoRun:"SyncMan","C:\WINDOWS\system32\SyncMan.exe","flagifnofile=1"
AutoRun:"SyncMan","<$SYSDIR>\SyncMan.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SyncMan"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\SyncMan.exe"
File:"<$FILE_EXE>","<$SYSDIR>\SyncMan.exe"
// AutoRun:"SyncMan","C:\Documents and Settings\Curwen\SyncMan.exe","flagifnofile=1"
AutoRun:"SyncMan","<$PROFILE>\SyncMan.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SyncMan"
// File:"<$FILE_EXE>","C:\Documents and Settings\Curwen\SyncMan.exe"
File:"<$FILE_EXE>","<$PROFILE>\SyncMan.exe"


// Trojan.Agent(3):
// Habe ich so in einem Logfile von HJT unter Prozesse gefunden:
// C:\WINDOWS\system32\lsm32.sys
File:"<$FILE_SERVICE>","<$SYSDIR>\lsm32.sys"
// Siehe auch hier: http://www.superantispyware.com/malwarefiles/LSM32.SYS.html


// Trojan.Calper:
// Siehe auch hier: http://www.systemlookup.com/O18/210-SYSDIR_xwreg32_dll.html
// ProtocolFilter:"text/html","{d71929e2-04be-4461-988c-341776f63238}"
// RegyKey:"<description>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\Protocols\Filter\","text/html","CLSID={d71929e2-04be-4461-988c-341776f63238}"
BrowserHelperEx:"*","filename=xwreg32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xwreg32.dll"


// Trojan.FakeAlert.ttam:
// Dürfte bekannt sein:
// BrowserHelperEx:"D","filename=xwr44828.dll"
BrowserHelperEx:"D","filename=xwr?????.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{EDED58B4-A531-324A-9E5E-4D9F8383376B}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{EDED58B4-A531-324A-9E5E-4D9F8383376B}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xwr44828.dll"
// Neue Variante gefunden:
// BrowserHelperEx:"D","filename=is38881.dll"
BrowserHelperEx:"D","filename=is?????.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{97D0764D-2EEF-38CD-ACCB-C7E6F78F687C}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{97D0764D-2EEF-38CD-ACCB-C7E6F78F687C}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\is38881.dll"


// Trojan.Fraudpack.F5JMWNZTHI:
// AutoRun:"F5JMWNZTHI","C:\Users\Evoluzione creativa\AppData\Local\Temp\Gt1.exe","flagifnofile=1"
AutoRun:"F5JMWNZTHI","<$LOCALAPPDATA>\Temp\???.exe","flagifnofile=1"
AutoRun:"F5JMWNZTHI","<$LOCALSETTINGS>\Temp\???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","F5JMWNZTHI"
// File:"<$FILE_EXE>","C:\Users\Evoluzione creativa\AppData\Local\Temp\Gt1.exe"


// Trojan.SpyEye:
// Name nach Kaspersky
// Bestätigt durch SuperAntiSpyware, siehe hier: http://www.superantispyware.com/malwarefiles/NYNW.WMO.html
// Auch hier gefunden: http://greatis.com/blog/how-to-remove-malware/removed-cleansweep-exe-nynw-wmo.htm
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe nynw.wmo mynleeq"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","nynw.wmo *"
File:"<$FILE_DATA>","<$SYSDIR>\nynw.wmo"
File:"<$FILE_EXE>","<$SYSDRIVE>\cleansweep.exe\cleansweep.exe"
File:"<$FILE_DATA>","<$SYSDRIVE>\cleansweep.exe\config.bin"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\cleansweep.exe"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=dumepiwo.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0d1f932d-7c26-45d2-a626-d97c41bb4a5e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0d1f932d-7c26-45d2-a626-d97c41bb4a5e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dumepiwo.dll"

// AutoRun:"wazewifan","Rundll32.exe "c:\windows\system32\denekilo.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\denekilo.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wazewifan"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\denekilo.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\denekilo.dll"

// AutoRun:"ragasorogi","Rundll32.exe "mudagaho.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\mudagaho.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ragasorogi"
// File:"<$FILE_EXE>","Rundll32.exe "mudagaho.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mudagaho.dll"

// AutoRun:"xxxwxwdrv","rundll32.exe "vturrp.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\vturrp.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","xxxwxwdrv"
// File:"<$FILE_EXE>","rundll32.exe "vturrp.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vturrp.dll"

// AutoRun:"iiigggsys","rundll32.exe "efffed.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\efffed.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","iiigggsys"
// File:"<$FILE_EXE>","rundll32.exe "efffed.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\efffed.dll"

// AutoRun:"ruwiparefi","Rundll32.exe "C:\WINDOWS\system32\kiyituhe.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\kiyituhe.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ruwiparefi"
// File:"<$FILE_EXE>","Rundll32.exe "C:\WINDOWS\system32\kiyituhe.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kiyituhe.dll"

// AutoRun:"Pyifohavo","rundll32.exe "c:\windows\eputahefozujecaz.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\eputahefozujecaz.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Pyifohavo"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\eputahefozujecaz.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\eputahefozujecaz.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\denekilo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\denekilo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","posibali.dll"
File:"<$FILE_LIBRARY>","posibali.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","kusewovi.dll"
File:"<$FILE_LIBRARY>","kusewovi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tefiyuvu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tefiyuvu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","molukimub","molukimub={3781c82b-a5b9-4df4-bd19-57295ed117b5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\denekilo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","pujatabow","pujatabow={2e3c94e5-2541-435d-aaf0-9b4b1ba81c8d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tefiyuvu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={2e3c94e5-2541-435d-aaf0-9b4b1ba81c8d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tefiyuvu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={3781c82b-a5b9-4df4-bd19-57295ed117b5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\denekilo.dll"


// Trojan.Virtumonde(2):
// Aus einem Logfile von DDS:
// Scheint auch eine Exe Datei von Virtumonde dabei zu sein
File:"<$FILE_LIBRARY>","<$SYSDIR>\kbtsbde.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\beziyefu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dumepiwo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fidamufa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiwipafi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nitalopo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rayefeku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vigodite.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zobumava.dll"
File:"<$FILE_EXE>","<$SYSDIR>\nodoveki.exe"


// Trojan.Zlob:
// O17 - HKLM\System\CCS\Services\Tcpip\..\{17526B4C-CEFE-4966-9F79-2FFA61A4198A}: NameServer = 93.188.163.117,93.188.161.65
// O17 - HKLM\System\CCS\Services\Tcpip\..\{571ABE99-D665-43A1-B9AC-73502978ED06}: NameServer = 93.188.163.117,93.188.161.65
// O17 - HKLM\System\CS1\Services\Tcpip\..\{17526B4C-CEFE-4966-9F79-2FFA61A4198A}: NameServer = 93.188.163.117,93.188.161.65
// O17 - HKLM\System\CS2\Services\Tcpip\..\{17526B4C-CEFE-4966-9F79-2FFA61A4198A}: NameServer = 93.188.163.117,93.188.161.65
// O17 - HKLM\System\CCS\Services\Tcpip\..\{2A04F888-1755-450D-9F48-7B07653B9E8D}: NameServer = 85.255.116.136,85.255.112.238
// O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.136 85.255.112.238
// O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.136 85.255.112.238
// O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.136 85.255.112.238

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v78

Thread Tools

Display

New Malware v78

Posting Permissions