New Malware v80

[Matt]

I've collected detection rules for the following Malware:

• Adware.BHO
• Adware.Ulineguide
• Malware.Fraud.GreenAV
• Malware.Fraud.PrivacyON
• Rootkit.Agent
• Rootkit.TDSS.4DW4R3
• Rootkit.Unknown.WTime/Time
• Rootkit.Unknwon.zzfxyg
• Spyware.Spynet
• Trojan.Agent(2)
• Trojan.Ambler
• Trojan.Banload
• Trojan.Clicker
• Trojan.FakeAlert.ttam(2)
• Trojan.Fraudpack.BMIMZMHMFM
• Trojan.Fraudpack.ROUA3O12PW
• Trojan.Netbus
• Trojan.Virtumonde(2)

Category: Trojan

Code:

:: New Malware v80
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-03-08}


// Adware.BHO:
// Siehe auch hier: http://www.systemlookup.com/CLSID/68153-ugacn2_dll.html
BrowserHelperEx:"uiwn1","filename=uracn2.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{19AAAA41-568A-450E-9CD5-6D3C06321790}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{19AAAA41-568A-450E-9CD5-6D3C06321790}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\uracn2\uracn2.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\uracn2"


// Adware.Ulineguide:
BrowserHelperEx:"ulineguide Helper","filename=ulineguidepack.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C3105EEE-9977-460E-B842-B04DE95921B5}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C3105EEE-9977-460E-B842-B04DE95921B5}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\ulineguide\ulineguidepack.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\ulineguide"


// Malware.Fraud.GreenAV:
// AutoRun:"37465982736455","C:\Documents and Settings\All Users\Application Data\gwr\mradll.exe","flagifnofile=1"
AutoRun:"*","<$COMMONAPPDATA>\gwr\mradll.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","37465982736455"
// File:"<$FILE_EXE>","C:\Documents and Settings\All Users\Application Data\gwr\mradll.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\gwr\mradll.exe"
// AutoRun:"03874569874596","C:\Documents and Settings\All Users\Application Data\gwr\rwg.exe","flagifnofile=1"
AutoRun:"*","<$COMMONAPPDATA>\gwr\rwg.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","03874569874596"
// File:"<$FILE_EXE>","C:\Documents and Settings\All Users\Application Data\gwr\rwg.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\gwr\rwg.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\gwr"


// Malware.Fraud.PrivacyON:
// Bestätigt hier: http://www.systemlookup.com/CLSID/64089-Onb_dll.html
BrowserHelperEx:"Onbp Class","filename=Onb.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{786F389F-C02E-4DC3-AC0C-1FAB1D105C6E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{786F389F-C02E-4DC3-AC0C-1FAB1D105C6E}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\PrivacyON\Onb.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\PrivacyON"


// Rootkit.Agent:
// Aus einem Logfile von ComboFix
// Sieh auch hier: http://www.superantispyware.com/malwarefiles/SEAGATE.SYS.html
NTFile:"<$FILE_LIBRARY>","<$SYSDIR>\seagate.sys"


// Rootkit.TDSS.4DW4R3:
// Aus einem Logfile von GMER, bitte an Roberto weitergeben!
// Den thread findet ihr hier: http://forums.spybot.info/showthread.php?t=55939
// Habe ich vor einiger Zeit schon mal an euch geschickt; anscheinend habt ihr das noch nicht komplett
// ---- Services - GMER 1.0.15 ----
// Service C:\WINDOWS\system32\drivers\4DW4R3YwXHrXILKV.sys (*** hidden *** ) [SYSTEM] 4DW4R3 <-- ROOTKIT !!!
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000272c1f699 (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000272c1f699@00149a18152a 0x55 0x47 0xB4 0x40 ...
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@start 1
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@type 1
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@group file system
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections@5bf3bc6c
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector@* 4DW4R3c
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
// Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3MgpMGemqGQ.dll
// Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c1f699
// Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c1f699@0019c0e65fc0 0x42 0x31 0x14 0x93 ...
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3 (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@start 1
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@type 1
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@group file system
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\connections (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\connections@5bf3bc6c
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\injector (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\injector@* 4DW4R3c
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\modules (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
// Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3MgpMGemqGQ.dll
// Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000272c1f699 (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000272c1f699@0019c0e65fc0 0x42 0x31 0x14 0x93 ...
// ---- Files - GMER 1.0.15 ----
// File C:\WINDOWS\system32\4DW4R3c.dll 28160 bytes executable
// File C:\WINDOWS\system32\4DW4R3FaYXrQYcme.dll 28160 bytes executable
// File C:\WINDOWS\system32\4DW4R3iurLGmkwTv.dll 28160 bytes executable
// File C:\WINDOWS\system32\4DW4R3mFQdpiRTmq.dll 28160 bytes executable
// File C:\WINDOWS\system32\4DW4R3MgpMGemqGQ.dll 28160 bytes executable
// File C:\WINDOWS\system32\4DW4R3sv.dat 53 bytes
// File C:\WINDOWS\system32\4DW4R3tIXdRtQIIK.dll 28160 bytes executable
// File C:\WINDOWS\system32\drivers\4DW4R3.sys 46592 bytes executable
// File C:\WINDOWS\system32\drivers\4DW4R3BrNexObrmy.sys 46592 bytes executable
// File C:\WINDOWS\system32\drivers\4DW4R3BXyBchNoxg.sys 46592 bytes executable
// File C:\WINDOWS\system32\drivers\4DW4R3EnUHoQlgpb.sys 46592 bytes executable
// File C:\WINDOWS\system32\drivers\4DW4R3QRiaLfbekn.sys 46592 bytes executable
// File C:\WINDOWS\system32\drivers\4DW4R3tHqlWBRwIX.sys 46592 bytes executable
// File C:\WINDOWS\system32\drivers\4DW4R3vREbTVvLdj.sys 46592 bytes executable
// File C:\WINDOWS\system32\drivers\4DW4R3YwXHrXILKV.sys 46592 bytes executable <-- ROOTKIT !!!
// File C:\WINDOWS\system32\4DW4R3tJMiatoNHY.dll 28160 bytes executable
// File C:\WINDOWS\system32\4DW4R3UXJQpygTJk.dll 28160 bytes executable
// File C:\WINDOWS\Temp\4DW4R3bc6a 53 bytes
// File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification
// ---- EOF - GMER 1.0.15 ----


// Rootkit.Unknown.WTime/Time:
// Aus einem Logfile von GMER, bitte an Roberto weitergeben!
// ---- Processes - GMER 1.0.15 ----
// Process C:\WINDOWS\System32\nlkfev7pzcfjnsxch.exe (*** hidden *** ) 532
// Library C:\WINDOWS\System32\nlkfev7pzcfjnsxch.exe (*** hidden *** ) @ C:\WINDOWS\System32\nlkfev7pzcfjnsxch.exe [532] 0x00400000
// ---- Services - GMER 1.0.15 ----
// Service C:\WINDOWS\System32\nlkfev7pzcfjnsxch.exe (*** hidden *** ) [AUTO] Time <-- ROOTKIT !!!
// Service C:\WINDOWS\System32\timedrv26.sys (*** hidden *** ) [MANUAL] WTime <-- ROOTKIT !!!
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Time (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Time@ Service
// Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\Time (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\Time@ Service
// Reg HKLM\SYSTEM\ControlSet002\Services\Time (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet002\Services\Time@Type 272
// Reg HKLM\SYSTEM\ControlSet002\Services\Time@Start 2
// Reg HKLM\SYSTEM\ControlSet002\Services\Time@ErrorControl 0
// Reg HKLM\SYSTEM\ControlSet002\Services\Time@ImagePath C:\WINDOWS\System32\nlkfev7pzcfjnsxch.exe
// Reg HKLM\SYSTEM\ControlSet002\Services\Time@DisplayName Time Service
// Reg HKLM\SYSTEM\ControlSet002\Services\Time@ObjectName LocalSystem
// Reg HKLM\SYSTEM\ControlSet002\Services\Time@Description Maintains date and time synchronization on all clients and servers in the network.
// Reg HKLM\SYSTEM\ControlSet002\Services\Time\Security (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet002\Services\Time\Security@Security 0x01 0x00 0x14 0x80 ...
// Reg HKLM\SYSTEM\ControlSet002\Services\WTime (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet002\Services\WTime@ErrorControl 0
// Reg HKLM\SYSTEM\ControlSet002\Services\WTime@ImagePath \??\C:\WINDOWS\System32\timedrv26.sys
// Reg HKLM\SYSTEM\ControlSet002\Services\WTime@Start 3
// Reg HKLM\SYSTEM\ControlSet002\Services\WTime@Type 1
// Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time
// Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Time@ Service
// Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Time
// Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Time@ Service
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time@Type 272
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time@Start 2
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time@ErrorControl 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time@ImagePath C:\WINDOWS\System32\nlkfev7pzcfjnsxch.exe
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time@DisplayName Time Service
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time@ObjectName LocalSystem
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time@Description Maintains date and time synchronization on all clients and servers in the network.
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time\Security
// Reg HKLM\SYSTEM\CurrentControlSet\Services\Time\Security@Security 0x01 0x00 0x14 0x80 ...
// Reg HKLM\SYSTEM\CurrentControlSet\Services\WTime
// Reg HKLM\SYSTEM\CurrentControlSet\Services\WTime@ErrorControl 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\WTime@ImagePath \??\C:\WINDOWS\System32\timedrv26.sys
// Reg HKLM\SYSTEM\CurrentControlSet\Services\WTime@Start 3
// Reg HKLM\SYSTEM\CurrentControlSet\Services\WTime@Type 1
// ---- Files - GMER 1.0.15 ----
// File C:\WINDOWS\system32\mlsdf8haknquydin.exe 96800 bytes
// File C:\WINDOWS\system32\mlsdf8hbeil.exe 87040 bytes executable
// File C:\WINDOWS\system32\mlsdf8hdowaeimrwc.exe 96800 bytes
// File C:\WINDOWS\system32\mlsdf8hrceimq.exe 96800 bytes
// File C:\WINDOWS\system32\mlsdf8hxbgikmo.exe 96800 bytes
// File C:\WINDOWS\system32\mlsdf8hxflps.exe 87040 bytes executable
// File C:\WINDOWS\system32\mlsdf8hyhkoswafkq.exe 96800 bytes
// File C:\WINDOWS\system32\nlkfev7dmqtxbg.exe 96800 bytes
// File C:\WINDOWS\system32\nlkfev7lvzcgkpt.exe 96800 bytes
// File C:\WINDOWS\system32\nlkfev7otzcgkpuze.exe 87040 bytes executable
// File C:\WINDOWS\system32\nlkfev7pwzdhl.exe 87040 bytes executable
// File C:\WINDOWS\system32\nlkfev7pzcfjnsxch.exe 96800 bytes <-- ROOTKIT !!!
// File C:\WINDOWS\system32\nlkfev7pzcgkosxci.exe 96800 bytes
// File C:\WINDOWS\system32\nlkfev7uxaeimqva.exe 87040 bytes executable
// File C:\WINDOWS\system32\nlkfev7weil.exe 96800 bytes
// File C:\WINDOWS\system32\sklrr7ygqtx.exe 96800 bytes
// File C:\WINDOWS\system32\sklrr7yilor.exe 87040 bytes executable
// File C:\WINDOWS\system32\sklrr7yilos.exe 87040 bytes executable
// File C:\WINDOWS\system32\sklrr7yiosvzdim.exe 87040 bytes executable
// File C:\WINDOWS\system32\sklrr7yknqtx.exe 87040 bytes executable
// File C:\WINDOWS\system32\sklrr7yluxbfjnsxd.exe 96800 bytes
// File C:\WINDOWS\system32\sklrr7yzcfjnrvaf.exe 87040 bytes executable
// File C:\WINDOWS\system32\timedrv26.sys 4352 bytes executable <-- ROOTKIT !!!
// File C:\WINDOWS\system32\dior4f4dmptxbfkp.exe 96800 bytes
// File C:\WINDOWS\system32\dior4f4filpsxbg.exe 87040 bytes executable
// File C:\WINDOWS\system32\dior4f4gknqu.exe 87040 bytes executable
// File C:\WINDOWS\system32\dior4f4gqtxafjo.exe 96800 bytes
// File C:\WINDOWS\system32\dior4f4szgjn.exe 96800 bytes
// File C:\WINDOWS\system32\cjnr4r4gnqu.exe 87040 bytes executable
// File C:\WINDOWS\system32\cjnr4r4isae.exe 96800 bytes
// File C:\WINDOWS\system32\cjnr4r4nrsuwyad.exe 87040 bytes executable
// File C:\WINDOWS\system32\cjnr4r4qtwaeimrwb.exe 87040 bytes executable
// File C:\WINDOWS\system32\cjnr4r4twzd.exe 87040 bytes executable
// File C:\WINDOWS\system32\cjnr4r4vfnruzd.exe 96800 bytes
// File C:\WINDOWS\system32\cjnr4r4wdhkosx.exe 87040 bytes executable
// File C:\WINDOWS\Temp\sklrr7y253238.exe 87552 bytes executable
// File C:\WINDOWS\Temp\cjnr4r43728920.exe 87552 bytes executable
// File C:\WINDOWS\Temp\dior4f4172096.exe 87552 bytes executable
// File C:\Documents and Settings\michelle\Local Settings\Temp\nlkfev78105707.exe 87552 bytes executable
// ---- EOF - GMER 1.0.15 ----
// Die Datei timedrv26.sys wird auch von MBAM erkannt:
// Files Infected:
// C:\WINDOWS\system32\timedrv26.sys (Backdoor.HacDef) -> Quarantined and deleted successfully.


// Rootkit.Unknwon.zzfxyg:
// Aus einem Logfile von GMER, bitte an Roberto weitergeben!
// ---- Services - GMER 1.0.15 ----
// Service (*** hidden *** ) [BOOT] zzfxyg <-- ROOTKIT !!!
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0020e09b7c18
// Reg HKLM\SYSTEM\CurrentControlSet\Services\zzfxyg@Type 1
// Reg HKLM\SYSTEM\CurrentControlSet\Services\zzfxyg@Start 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\zzfxyg@ErrorControl 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\zzfxyg@Group Boot Bus Extender
// Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\0020e09b7c18 (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet005\Services\zzfxyg@Type 1
// Reg HKLM\SYSTEM\ControlSet005\Services\zzfxyg@Start 0
// Reg HKLM\SYSTEM\ControlSet005\Services\zzfxyg@ErrorControl 0
// Reg HKLM\SYSTEM\ControlSet005\Services\zzfxyg@Group Boot Bus Extender
// Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo -341829824
// Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30061950
// Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo -340828384
// Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30061950


// Spyware.Spynet:
// Neuer Pfad !
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\dir\install\install\server.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\dir\install\install\server.exe
AutoRun:"Policies","<$SYSDRIVE>\dir\install\install\server.exe","flagifnofile=1"
// AutoRun:"HKLM","C:\dir\install\install\server.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDRIVE>\dir\install\install\server.exe","flagifnofile=1"
// AutoRun:"HKCU","C:\dir\install\install\server.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDRIVE>\dir\install\install\server.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDRIVE>\dir\install\install\server.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\dir\install\install","filename=server.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\dir\install"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\dir"


// Trojan.Agent(1):
// Name nach SuperAntiSpyware: http://www.superantispyware.com/malwarefiles/PR12.DLL.html
// Hier gefunden: http://forums.spybot.info/showthread.php?t=56003
// RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","c:\windows\system32\pr12.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pr??.dll"
// File:"<$FILE_WEBPAGE>","c:\windows\system32\pr12.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\pr??.dll"


// Trojan.Agent(2):
// Bitte mal nachschauen, dieser dürfte bekannt sein
// Achtung, Name des Autostartes, wie besprochen FEST!
// AutoRun:"asg984jgkfmgasi8ug98jgkfgfb","C:\Users\As\AppData\Local\Temp\win16.exe","flagifnofile=1"
AutoRun:"asg984jgkfmgasi8ug98jgkfgfb","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","asg984jgkfmgasi8ug98jgkfgfb"
// File:"<$FILE_EXE>","C:\Users\As\AppData\Local\Temp\win16.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\win16.exe"
// Auch folgender Name ist fest, bitte aufnehmen; bestätigt durch zahlreiche Ergebnisse bei Google
// AutoRun:"uishf9wuifwuh387fh3wufinhjfdwefe","C:\Users\As\appdata\local\temp\r1s2a4h .exe","flagifnofile=1"
AutoRun:"uishf9wuifwuh387fh3wufinhjfdwefe","<$LOCALAPPDATA>\temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","uishf9wuifwuh387fh3wufinhjfdwefe"
// File:"<$FILE_EXE>","C:\Users\As\appdata\local\temp\r1s2a4h.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\temp\r1s2a4h.exe"


// Trojan.Ambler:
// Siehe auch hier: http://www.systemlookup.com/CLSID/67707-ijqwv45_dll.html
BrowserHelperEx:"Internet Explorer Plugin","filename=ailg3.dll"
BrowserHelperEx:"Internet Explorer Plugin","filename=ijqwv45.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6A793A3A-BD2D-4B07-AC02-5745FDF1A33B}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6A793A3A-BD2D-4B07-AC02-5745FDF1A33B}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A1E88A88-9B9B-45D8-9CDC-39A934318E46}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A1E88A88-9B9B-45D8-9CDC-39A934318E46}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ailg3.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ijqwv45.dll"


// Trojan.Banload:
// AutoRun:"Updater","C:\Windows\system32\updater\explorer.exe","flagifnofile=1"
AutoRun:"Updater","<$SYSDIR>\updater\explorer.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Updater"
// File:"<$FILE_EXE>","C:\Windows\system32\updater\explorer.exe"
File:"<$FILE_EXE>","<$SYSDIR>\updater\explorer.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\updater","filename=explorer.exe"


// Trojan.Clicker:
// Name nach Kaspersky
// Bitte endlich einmal aufnehmen, kommt unter SYSDIR und LOCALSETTINGS vor
// Hier bestätigt: http://www.threatexpert.com/report.aspx?md5=6d1e330bbc964534e79df2c86edfd80e
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","app_dll.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\app_dll.dll"
File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\app_dll.dll"


// Trojan.FakeAlert.ttam(1):
// Siehe hier: http://www.prevx.com/filenames/3738047201388064363-X1/WINAWRCLS.DAT.html
BrowserHelperEx:"WinAWRCls","filename=winawrcls.dat"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6079C124-AD20-40AF-BB9E-3BCED480A98F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6079C124-AD20-40AF-BB9E-3BCED480A98F}"
File:"<$FILE_DATA>","<$SYSDIR>\winawrcls.dat"


// Trojan.FakeAlert.ttam(2):
// Siehe hier: http://www.prevx.com/filenames/X518454969100203406-X1/DFSSHLEX32.DLL.html
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\GameUXLegacyGDFs32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\GameUXLegacyGDFs32.dll"


// Trojan.Fraudpack.BMIMZMHMFM:
// http://www.threatexpert.com/report.aspx?md5=6908ca4a50267e068c510c1a1ef09b07
// AutoRun:"BMIMZMHMFM","C:\Users\Elizabeth\AppData\Local\Temp\Fql.exe","flagifnofile=1"
AutoRun:"BMIMZMHMFM","<$LOCALAPPDATA>\Temp\???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","BMIMZMHMFM"
// File:"<$FILE_EXE>","C:\Users\Elizabeth\AppData\Local\Temp\Fql.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\Fql.exe"


// Trojan.Fraudpack.ROUA3O12PW:
// Sieher hier: Siehe auch hier: http://www.systemlookup.com/Startup/21853-exe.html
AutoRun:"ROUA3O12PW","<$WINDIR>\???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ROUA3O12PW"
File:"<$FILE_EXE>","<$WINDIR>\msc.exe"


// Trojan.Netbus:
// AutoRun:"patch","c:\windows\patch.exe /nomsg","flagifnofile=1"
AutoRun:"patch","<$WINDIR>\patch.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","patch"
// File:"<$FILE_EXE>","c:\windows\patch.exe /nomsg"
File:"<$FILE_EXE>","<$WINDIR>\patch.exe"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=corpol32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01CB4D14-25E9-4B41-9391-D3154143A017}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01CB4D14-25E9-4B41-9391-D3154143A017}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\corpol32.dll"

// Beim folgenden Eintrag handelt es sich eigentlich um Trojan.Ertfor :-)
BrowserHelperEx:"*","filename=k22hrsjop.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A3BA40A2-74F0-42BD-F434-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A3BA40A2-74F0-42BD-F434-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\k22hrsjop.dll"
// Und der dazu gehörige O4 Eintrag, bei dem der Name des Autostartes fest ist!
// AutoRun:"Remote System Protection","rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc","flagifnofile=1"
AutoRun:"Remote System Protection","<$SYSDIR>\*.dll*","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Remote System Protection"
// File:"<$FILE_EXE>","rundll32.exe C:\windows\system32\k22hrsjop.dll, HUI_proc"

BrowserHelperEx:"*","filename=iassvcs32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01E98BDA-2EC6-4E61-BA57-ECE6783951F8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01E98BDA-2EC6-4E61-BA57-ECE6783951F8}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iassvcs32.dll"


// Trojan.Virtumonde(2):
// Aus einem Logfile von DDS
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\adayufup.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ivahalak.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\oyiladab.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tesawuzo.dll"

Downloads: 0	Rating: 0 (rated by 0 users)