Code:
:: New Malware v79
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matthias,2010-03-07}
// Adware.OneStep:
// Aus einem Logfile von ComboFix
// Siehe auch hier: http://www.threatexpert.com/report.aspx?md5=3886386f0488acd4ad546ca7daec2c23
// Und auch hier: http://www.threatexpert.com/report.aspx?md5=5608657a0d6f1319abab262f4925cb9d
// Einträge in der Registry:
// HKEY_LOCAL_MACHINE\SOFTWARE\SeekeenSrch
// HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEEKEENSRCH_SERVICE
// HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEEKEENSRCH_SERVICE\0000
// HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEEKEENSRCH_SERVICE\0000\Control
// HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SeekeenSrch Service
// HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SeekeenSrch Service\Security
// HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SeekeenSrch Service\Enum
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKEENSRCH_SERVICE
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKEENSRCH_SERVICE\0000
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKEENSRCH_SERVICE\0000\Control
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SeekeenSrch Service
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SeekeenSrch Service\Security
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SeekeenSrch Service\Enum
// Erstellt folgende Dateien:
// c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen147.exe
// c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe
File:"<$FILE_EXE>","<$COMMONAPPDATA>\SeekeenSrch\seekeen???.exe"
File:"<$FILE_LIBRARY>","<$PROFILE>\seekeen.dll"
File:"<$FILE_EXE>","<$PROFILE>\seekeen.dll"
File:"<$FILE_DATA>","<$PROGRAMFILES>\SeekeenSrch\home.js"
File:"<$FILE_WEBPAGE>","<$PROGRAMFILES>\SeekeenSrch\readme.html"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\SeekeenSrch\seekeen.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SeekeenSrch\seekeen.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SeekeenSrch\skopt.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SeekeenSrch\uninstall.exe"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\SeekeenSrch"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SeekeenSrch"
// Adware.Poploader:
// Aus einem Logfile von ComboFix:
File:"<$FILE_LIBRARY>","<$WINDIR>\Downloaded Program Files\popcaploader.dll"
File:"<$FILE_TEXT>","<$WINDIR>\Downloaded Program Files\popcaploader.inf"
// Adware.Rond:
// Name nach A-Squared
// Siehe hier: http://forums.spybot.info/showthread.php?t=55826
// Bitte endlich mal aufnehmen, aus einem ComboFix logfile:
// ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
// c:\program files\Csvnro
// c:\program files\Csvnro\Csvnro.exe
// Siehe dazu auch: Malware.Package
// AutoRun:"Csvnro","C:\Program Files\Csvnro\Csvnro.exe","flagifnofile=1"
AutoRun:"Csvnro","<$PROGRAMFILES>\Csvnro\Csvnro.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Csvnro"
// File:"<$FILE_EXE>","C:\Program Files\Csvnro\Csvnro.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Csvnro\Csvnro.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Csvnro"
// Malware.Fraud.Win7Antispyware2010 alias Malware.Fraud.AntivirusVista2010:
// Aus einem Logfile von MBAM:
// C:\Documents and Settings\Owner\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
// Hat zum Teil Rootkit-Charakter
// Aus einem Logfile von DDS:
// [2010.03.03 17:14:26 | 000,197,120 | -HS- | C] () -- C:\Users\****\AppData\Local\av.exe
NTFile:"<$FILE_EXE>","<$LOCALAPPDATA>\av.exe"
// Malware.Package:
// Spybot hatte große Probleme beim Säubern eines Rechners, siehe hier: http://forums.spybot.info/showthread.php?t=55826
// Auf der Seite zwei fanden sich folgende zwei ComboFix logfiles
// Ich hoffe, du kannst daraus die eine oder andere Regel erstellen, da Spybot da ja einiges nicht entdecken konnte :-(
// C:\35573251.exe
// C:\documents and settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
// C:\documents and settings\Compaq_Administrator\Application Data\rhcpvoj0e57v
// C:\documents and settings\Compaq_Administrator\Cookies\_install.exe
// C:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
// C:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\CPV.stt
// C:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
// C:\Microsoft
// C:\microsoft\svchost.exe
// C:\progra~1\COMMON~1\{3C622~1
// C:\progra~1\COMMON~1\{7C622~1
// C:\progra~1\COMMON~1\{7C622~1\system.dll
// C:\progra~1\COMMON~1\{7C622~1\Update.exe
// C:\progra~1\COMMON~1\{7C622~2
// C:\progra~1\COMMON~1\{7C622~2\system.dll
// C:\progra~1\COMMON~1\{7C622~2\Update.exe
// C:\progra~1\COMMON~1\{7C622~3
// C:\progra~1\COMMON~1\{7C622~3\system.dll
// C:\progra~1\COMMON~1\{7C622~3\Update.exe
// C:\program files\asks~1
// C:\program files\Common Files\curity~1
// C:\program files\Common Files\dobe~1
// C:\program files\Common Files\racle~1
// C:\program files\Common Files\smante~1
// C:\program files\Common Files\smbols~1
// C:\program files\Common Files\sstem~1
// C:\program files\Common Files\ymante~1
// C:\program files\crosof~1.net
// C:\program files\curity~1
// C:\program files\JavaCore
// C:\program files\mantec~1
// C:\program files\racle~1
// C:\program files\rhcpvoj0e57v
// C:\program files\shcrvoj0e57v
// C:\program files\Spcron
// C:\program files\sstem3~1
// C:\program files\Svconr
// C:\program files\Svconr\Svconr.exe.lzma
// C:\program files\Temporary
// C:\program files\Temporary\InsiDERInst.exe
// C:\program files\wnsxs~1
// C:\program files\ystem~1
// C:\recycler\S-1-5-21-527237240-179605362-725345543-500
// C:\windows\IA
// C:\windows\IA\asappsrv.dll.vir
// C:\windows\IA\command.exe
// C:\windows\IA\KE.vbs
// C:\windows\icroso~1
// C:\windows\icroso~1.net
// C:\windows\mcroso~1
// C:\windows\racle~1
// C:\windows\smante~1
// C:\windows\sstem~1
// C:\windows\system32\asks~1
// C:\windows\system32\atmtd.dll.tmp
// C:\windows\system32\COMCTL32.OCA
// C:\windows\system32\curity~1
// C:\windows\system32\E.tmp
// C:\windows\system32\fnts~1
// C:\windows\system32\lphctvoj0e57v.exe
// C:\windows\system32\mantec~1
// C:\windows\system32\pphctvoj0e57v.exe
// C:\windows\system32\racle~1
// C:\windows\system32\s.ico
// C:\windows\system32\sks~1
// C:\windows\system32\sstem3~1
// C:\windows\system32\stem~1
// C:\windows\system32\unsvchosts.lzma
// C:\windows\system32\wapisu.exe
// C:\windows\system32\wnsxs~1
// C:\windows\system32\ymante~1
// C:\windows\tsks~1
// C:\windows\ymbols~1
// D:\Autorun.inf
// -------\Legacy_CMDSERVICE
// -------\Legacy_COM _MESSAGES
// -------\Service_cmdService
// C:\progra~1\COMMON~1\ikzo
// C:\progra~1\COMMON~1\ikzo\ikzoa.exe
// C:\progra~1\COMMON~1\ikzo\ikzoa.lck
// C:\progra~1\COMMON~1\ikzo\ikzod\class-barrel
// C:\progra~1\COMMON~1\ikzo\ikzod\ikzoc.dll
// C:\progra~1\COMMON~1\ikzo\ikzol.exe
// C:\progra~1\COMMON~1\ikzo\ikzol.lck
// C:\progra~1\COMMON~1\ikzo\ikzom.exe
// C:\progra~1\COMMON~1\ikzo\ikzom.lck
// C:\progra~1\COMMON~1\ikzo\ikzop.exe
// C:\progra~1\COMMON~1\ikzo\ikzop.lck
// C:\windows\system32\A3.tmp
// C:\windows\system32\A4.tmp
// C:\windows\system32\A5.tmp
// C:\windows\system32\A6.tmp
// C:\windows\system32\A7.tmp
// C:\windows\system32\A8.tmp
// C:\windows\system32\A9.tmp
// C:\windows\system32\AA.tmp
// C:\windows\system32\AB.tmp
// C:\windows\system32\AC.tmp
// C:\windows\system32\AD.tmp
// C:\windows\system32\AE.tmp
// C:\windows\system32\AF.tmp
// C:\windows\system32\B0.tmp
// C:\windows\system32\B1.tmp
// C:\windows\system32\B2.tmp
// C:\windows\system32\B5.tmp
// C:\windows\system32\B6.tmp
// C:\windows\system32\B7.tmp
// C:\windows\system32\B8.tmp
// C:\windows\system32\B9.tmp
// C:\windows\system32\BB.tmp
// C:\windows\system32\BC.tmp
// C:\windows\system32\BD.tmp
// C:\windows\system32\BE.tmp
// C:\windows\system32\BF.tmp
// C:\windows\system32\C0.tmp
// C:\windows\system32\C1.tmp
// C:\windows\system32\C2.tmp
// C:\windows\system32\C3.tmp
// C:\windows\system32\C4.tmp
// C:\windows\system32\C5.tmp
// C:\windows\system32\C6.tmp
// C:\windows\system32\C7.tmp
// PUPS.MyWebSearch:
// Siehe hier: http://forums.spybot.info/showthread.php?t=55565
// Bitte um Kontrolle, ob ihr diese Regeln auch wirklich habt
// Aus einem Logfile von MBAM
// Registry Keys Infected:
// HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{458a0f0d-fb02-47be-82e7-ce8caaceeb6b} (Trojan.Vundo) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
// Spyware.AdRotator:
BrowserHelperEx:"ezLife browser enhancer *","filename=*.dll"
BrowserHelperEx:"gooochi browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{13813032-6246-4D51-8468-7875BE5C5416}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{13813032-6246-4D51-8468-7875BE5C5416}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A4A9A8E9-A525-6DDA-43C6-C4E5E103F498}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A4A9A8E9-A525-6DDA-43C6-C4E5E103F498}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qfxzrops.dll"
// AutoRun:"wcgxujqujvvt","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ankvbgxlbf.dll"","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\ankvbgxlbf.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wcgxujqujvvt"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ankvbgxlbf.dll""
File:"<$FILE_LIBRARY>","<$SYSDIR>\ankvbgxlbf.dll"
// Trojan.Agent:
// Dateiname sieht zufällig aus, jedoch weißt ich nicht, ob bei dem Autostartnamen MSConfig ein Sternchen unter Profile geht :-)
// AutoRun:"MSConfig","C:\Dokumente und Einstellungen\***\uyapfm.exe \u","flagifnofile=1"
AutoRun:"MSConfig","<$PROFILE>\*.exe*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSConfig"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\***\uyapfm.exe \u"
File:"<$FILE_EXE>","<$PROFILE>\uyapfm.exe"
// Trojan.FakeAlert.ttam(1):
// Siehe auch hier: http://www.systemlookup.com/CLSID/56556-iehelper_dll.html
BrowserHelperEx:"BHO","filename=iehelper.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C9C42510-9B21-41c1-9DCD-8382A2D07C61}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C9C42510-9B21-41c1-9DCD-8382A2D07C61}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iehelper.dll"
// Trojan.FakeAlert.ttam(2):
// AutoRun:"REALLITY SERVICE","c:\FILES\REMOVED\BEST.exe","flagifnofile=1"
AutoRun:"REALLITY SERVICE","<$SYSDRIVE>\FILES\REMOVED\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","REALLITY SERVICE"
// File:"<$FILE_EXE>","c:\FILES\REMOVED\BEST.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\FILES\REMOVED\BEST.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\FILES\REMOVED"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\FILES"
// Trojan.FakeAlert.ttam(3):
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","oyDOWkmavYYJNU","oyDOWkmavYYJNU={CC96B659-663C-1CF3-3A34-4702AFE15DFE}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zvln.dll"
// Trojan.FakeAlert.ttam(4):
// Aus einem Logfile von ComboFix
// Siehe hier: http://www.trojaner-board.de/82876-iebho-dll-trojan-fakealert-trojan-bho-h-lassen-sich-nicht-entfernen-2.html
// Vielleicht könnt ihr das eine oder andere ja doch aufnehmen :-) Tut mir Leid, kann euch keine Dateien liefern :-(
File:"<$FILE_LIBRARY>","<$SYSDIR>\IEBHO.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iebho09.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iebho15.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\MSIMRT.DLL"
File:"<$FILE_LIBRARY>","<$SYSDIR>\MSIMRT32.DLL"
File:"<$FILE_LIBRARY>","<$SYSDIR>\MSIMUSIC.DLL"
File:"<$FILE_LIBRARY>","<$SYSDIR>\Vb40032.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\twain_32.dll"
// Trojan.FakeAlert.ttam(5):
// Aus einem Logfile von ComboFix
// Siehe hier: http://www.geekstogo.com/forum/computer-clean-t270374.html
// Vielleicht könnt ihr ja das eine oder andere übernehmen. ;-) Tut mir Leid, kann euch keine Dateien liefern :-(
File:"<$FILE_LIBRARY>","<$SYSDIR>\Dvbpws.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lsprst7.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\prnqctl.vbs"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssprs.dll"
// Trojan.Grepage:
// Name nach Symantec
AutoRun:"winsvc32","<$SYSDIR>\winsvc32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winsvc32"
File:"<$FILE_EXE>","<$SYSDIR>\winsvc32.exe"
// Trojan.IRCBot:
// Siehe hier: http://www.bleepingcomputer.com/startups/trkwksvc.exe-20586.html
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","NET Service","ImagePath=<$WINDIR>\trkwksvc.exe"
File:"<$FILE_EXE>","<$WINDIR>\trkwksvc.exe"
// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=hsfd83jfdg.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C5BF49A2-94F3-42BD-F434-3604812C8955}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C5BF49A2-94F3-42BD-F434-3604812C8955}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hsfd83jfdg.dll"
BrowserHelperEx:"*","filename=fontext32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01114BCD-E99B-4A76-B7FD-558ACD75C455}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01114BCD-E99B-4A76-B7FD-558ACD75C455}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fontext32.dll"
BrowserHelperEx:"*","filename=d3dx9_3032.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01447F3B-4272-443D-957F-03461650E33a}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01447F3B-4272-443D-957F-03461650E33a}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{014A4CFC-81DA-48C2-B44C-8323EB1DA8C2}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{014A4CFC-81DA-48C2-B44C-8323EB1DA8C2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3dx9_3032.dll"
BrowserHelperEx:"*","filename=fcnetcf.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{96D5CE2D-6275-43C3-9C86-8A9B689EF333}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{96D5CE2D-6275-43C3-9C86-8A9B689EF333}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fcnetcf.dll"
BrowserHelperEx:"*","filename=cnetcf.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A84A7A2B-EFBB-46A4-ADAC-29B5558EE514}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A84A7A2B-EFBB-46A4-ADAC-29B5558EE514}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cnetcf.dll"
BrowserHelperEx:"*","filename=fabeduyu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5e8be0dd-c278-4b36-91b7-1ff46ac3d755}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5e8be0dd-c278-4b36-91b7-1ff46ac3d755}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fabeduyu.dll"
BrowserHelperEx:"*","filename=pmnnl.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{1dc5edb1-2487-445d-a7b2-391e3d076027}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{1dc5edb1-2487-445d-a7b2-391e3d076027}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pmnnl.dll"
// AutoRun:"Kwehibav","rundll32.exe "C:\WINDOWS\erikovikerevafid.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\erikovikerevafid.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Kwehibav"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\erikovikerevafid.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\erikovikerevafid.dll"
// AutoRun:"zawezamovu","Rundll32.exe "zoluvuwo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\zoluvuwo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","zawezamovu"
// File:"<$FILE_EXE>","Rundll32.exe "zoluvuwo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zoluvuwo.dll"
// AutoRun:"sstromdrv","rundll32.exe "qomjhh.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\qomjhh.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sstromdrv"
// File:"<$FILE_EXE>","rundll32.exe "qomjhh.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qomjhh.dll"
// AutoRun:"yabxuusys","rundll32.exe "awwtrq.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\awwtrq.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","yabxuusys"
// File:"<$FILE_EXE>","rundll32.exe "awwtrq.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\awwtrq.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dpserial32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpserial32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\btpanui32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\btpanui32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\veyekuke.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\veyekuke.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","opgyww.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\opgyww.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nuzevuzi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nuzevuzi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tuyigope.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tuyigope.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\gotapajo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gotapajo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kawepibo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kawepibo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\gopikobi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gopikobi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\heyejopo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\heyejopo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bogiviza.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bogiviza.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\juzeziwi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\juzeziwi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pebapehe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pebapehe.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tezezubu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tezezubu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tatunulo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tatunulo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","app_dll.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\app_dll.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ketafopo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ketafopo.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","38b4ce68810","DllName=<$SYSDIR>\dpserial32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpserial32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","winnhz32","DllName=winnhz32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winnhz32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","avhcfahw","DllName=ujhqwjf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ujhqwjf.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vuyuwesur","vuyuwesur={d07201db-c091-45c8-b06f-bd9a33986bf6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vadawife.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={d07201db-c091-45c8-b06f-bd9a33986bf6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vadawife.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jgzfkj9w38rksndfi7r4","jgzfkj9w38rksndfi7r4={C5BF49A2-94F3-42BD-F434-3604812C8955}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hsfd83jfdg.dll"
// Trojan.Virtumonde(2):
// Aus einem Logfile von DDS
File:"<$FILE_LIBRARY>","<$SYSDIR>\benituyo.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hafedeku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kakekuze.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kepikemi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lazogiya.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mivekele.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nanulote.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pipuduse.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rarayuna.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wuleluzu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zakupuju.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dogubina.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jifetahi.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lipulone.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pekiboba.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\peroruvo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sakalimo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wotuzapi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msssc.dll"
// Worm.Koobface:
// Siehe hier: http://www.systemlookup.com/Startup/21724-bill102_exe.html
// AutoRun:"sysfbtray","c:\windows\bill103.exe","flagifnofile=1"
AutoRun:"sysfbtray","<$WINDIR>\bill???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysfbtray"
// File:"<$FILE_EXE>","c:\windows\bill103.exe"
File:"<$FILE_EXE>","<$WINDIR>\bill103.exe"
// Die folgenden beiden Logfiles gehören ebenfalls zu Koobface
// Aus einem logfile von DDS:
// 2010-02-13 02:36:40 23552 ----a-w- c:\windows\rdr_1266028598.exe
// 2010-02-13 02:25:39 194048 ----a-w- c:\windows\rdr_1266027931.exe
// 2010-02-13 02:25:31 23552 ----a-w- c:\windows\rdr_1266027925.exe
// 2010-02-13 02:25:25 2 ----a-w- c:\windows\0101120101465448.xxe
// 2010-01-29 16:29:24 75264 ----a-w- c:\windows\rdr_1264782561.exe
// 2010-01-29 15:58:10 75264 ----a-w- c:\windows\rdr_1264780687.exe
// 2010-01-29 15:57:32 75264 ----a-w- c:\windows\rdr_1264780650.exe
// 2010-01-29 15:56:37 75264 ----a-w- c:\windows\rdr_1264780596.exe
// 2010-01-29 15:51:49 75264 ----a-w- c:\windows\rdr_1264780306.exe
// 2010-01-29 15:49:23 75264 ----a-w- c:\windows\rdr_1264780160.exe
// 2010-01-29 15:45:50 75264 ----a-w- c:\windows\rdr_1264779946.exe
// 2010-01-29 15:44:59 75264 ----a-w- c:\windows\rdr_1264779898.exe
// 2010-01-29 15:44:15 75264 ----a-w- c:\windows\rdr_1264779853.exe
// 2010-01-29 15:42:32 75264 ----a-w- c:\windows\rdr_1264779748.exe
// 2010-01-29 15:41:22 12842 ----a-w- c:\windows\rdr_1264779679.exe
// 2010-01-29 15:39:58 75264 ----a-w- c:\windows\rdr_1264779596.exe
// 2010-01-29 15:39:30 75264 ----a-w- c:\windows\rdr_1264779568.exe
// 2010-01-29 15:38:05 75264 ----a-w- c:\windows\rdr_1264779484.exe.exe
// Aus einem Logfile von MBAM:
// Files Infected:
// C:\Windows\010112010146116101.xxe (KoobFace.Trace) -> No action taken.
// C:\Windows\0101120101464955.xxe (KoobFace.Trace) -> No action taken.
// C:\Windows\0101120101465050.xxe (KoobFace.Trace) -> No action taken.
// C:\Windows\0101120101465055.xxe (KoobFace.Trace) -> No action taken.
// C:\Windows\0101120101465248.xxe (KoobFace.Trace) -> No action taken.
// C:\Windows\0101120101465249.xxe (KoobFace.Trace) -> No action taken.
// C:\Windows\0101120101465349.xxe (KoobFace.Trace) -> No action taken.
// C:\Windows\0101120101465649.xxe (KoobFace.Trace) -> No action taken.
// C:\Windows\bx4657.dat (KoobFace.Trace) -> No action taken.
// C:\Windows\tw23567.dat (KoobFace.Trace) -> No action taken.
// C:\Windows\hpm2.dat (KoobFace.Trace) -> No action taken.
// C:\Windows\bk23567.dat (KoobFace.Trace) -> No action taken.
// C:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) -> No action taken.
// C:\Windows\tgm2.dat (KoobFace.Trace) -> No action taken.
// Sieher auch hier: http://forums.techguy.org/malware-removal-hijackthis-logs/867040-hacktool-rootkit-virus.html
// C:\Program Files\Mozilla Firefox\ftemp.exe (Worm.Koobface) -> Quarantined and deleted successfully.
File:"<$FILE_EXE>","<$PROGRAMFILES>\Mozilla Firefox\ftemp.exe"
New Malware v79
Reply With Quote