New Malware v86

**Matt** · 2010-03-18, 14:52

I've collected detection rules for the following Malware:

Adware.OneStep/SeekDNS
Adware.WhereSphere
Malware.Fraud.PersonalSecurity
Malware.Fraud.SecurityGuard
Malware.Fraud.SystemDefence
Malware.Fraud.Unkown
Security.Microsoft.Windows.RedirectedHosts
Trojan.Agent(6)
Trojan.Ambler
Trojan.Autorun
Trojan.FakeAlert.ttam(2)
Trojan.IRCBot
Trojan.Virtumonde(2)

Category: Trojan

Code:

:: New Malware v86
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-03-18}


// Adware.OneStep/SeekDNS:
// Siehe auch hier: http://www.systemlookup.com/O23/5049-kwanzy121_exe_KWANZY_EXE.html
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","Kwanzy Service","ImagePath=<$COMMONAPPDATA>\Kwanzy\kwanzy???.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","Kwanzy Service","ImagePath=<$COMMONAPPDATA>\Kwanzy\kwanzy.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\Kwanzy\kwanzy???.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\Kwanzy\kwanzy.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\Kwanzy"


// Adware.WhereSphere:
// AutoRun:"WhereSphere","C:\Documents and Settings\Erik Fowler\Application Data\WhereSphere\wheresphere.exe","flagifnofile=1"
AutoRun:"WhereSphere","<$APPDATA>\WhereSphere\wheresphere.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WhereSphere"
// File:"<$FILE_EXE>","C:\Documents and Settings\Erik Fowler\Application Data\WhereSphere\wheresphere.exe"
File:"<$FILE_EXE>","<$APPDATA>\WhereSphere\wheresphere.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\WhereSphere"


// Malware.Fraud.PersonalSecurity:
// Neuer Pfad!
// AutoRun:"PersonSecurity","c:\program files (x86)\personsecurity\psecurity.exe","flagifnofile=1"
AutoRun:"PersonSecurity","<$PROGRAMFILES>\personsecurity\psecurity.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","PersonSecurity"
// File:"<$FILE_EXE>","c:\program files (x86)\personsecurity\psecurity.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\personsecurity\psecurity.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\personsecurity"


// Malware.Fraud.SecurityGuard:
// Siehe Log Datei!
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Security Guard"
// HKEY_CURRENT_USER\Software\3
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\","3"
// HKEY_CLASSES_ROOT\SG345d.DocHostUIHandler
RegyKey:"<$REG_SETTINGS>",HKEY_CLASSES_ROOT,"\","SG345d.DocHostUIHandler"
// O4 - HKCU\..\Run: [Security Guard] "C:\Documents and Settings\All Users\Application Data\345d567\SG345d.exe" /s /d
AutoRun:"Security Guard","<$COMMONAPPDATA>\*\SG*.exe","flagifnofile=1"
File:"<$FILE_DATA>","<$APPDATA>\Security Guard\cookies.sqlite"
File:"<$FILE_CONFIGURATION>","<$APPDATA>\Security Guard\Instructions.ini"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Security Guard.lnk"
File:"<$FILE_LINK>","<$STARTMENU>\Security Guard.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Security Guard.lnk"
// c:\Documents and Settings\All Users\Application Data\345d567\SGD.ico"
File:"<$FILE_PICTURE>","<$COMMONAPPDATA>\*\SGD.ico"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Security Guard"
// c:\Documents and Settings\All Users\Application Data\SGZIQYEXRD
Directory:"<$DIR_APPDATA>","<$COMMONAPPDATA>\SG*","filename=vd*.bd"
// c:\Documents and Settings\All Users\Application Data\345d567\SGDSys
Directory:"<$DIR_APPDATA>","<$COMMONAPPDATA>\*\SGDSys"
// c:\Documents and Settings\All Users\Application Data\345d567
Directory:"<$DIR_APPDATA>","<$COMMONAPPDATA>\*","filename=SGD.ico"


// Malware.Fraud.SystemDefence:
// AutoRun:"Defence",""C:\ProgramData\Defence\smss.exe" -SystemDefence","flagifnofile=1"
AutoRun:"Defence","<$COMMONAPPDATA>\Defence\smss.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Defence"
// File:"<$FILE_EXE>",""C:\ProgramData\Defence\smss.exe" -SystemDefence"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\Defence\smss.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\Defence","filename=smss.exe"


// Malware.Fraud.Unkown:
// Ich weiß, dass ihr hierfür Dateien benötigt
// Ich möchte, dass du danach etwas Ausschau hälst, vielleicht habt ihr bald selber Dateien dafür
// [2010/03/16 00:56:26 | 000,200,704 | -HS- | C] () -- C:\Users\Fred Meyer\AppData\Local\ave.exe
// [2010/03/16 00:56:26 | 000,010,054 | -HS- | C] () -- C:\Users\Fred Meyer\AppData\Local\21mn5E
// [2010/03/16 00:56:26 | 000,010,054 | -HS- | C] () -- C:\ProgramData\21mn5E


// Security.Microsoft.Windows.RedirectedHosts:
// O1 - Hosts: 209.44.111.62 surety.microsoft.com
// O1 - Hosts: 209.44.111.62 aware-protect.com
// O1 - Hosts: 209.44.111.62 www.aware-protect.com


// Spyware.AdRotator:
BrowserHelperEx:"flvdirect","filename=*.dll"
BrowserHelperEx:"gwprimawega","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8a05acfe-999b-bd40-c2aa-108023127b52}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8a05acfe-999b-bd40-c2aa-108023127b52}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5010cb38-c83f-e184-2157-c8d7de52a726}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5010cb38-c83f-e184-2157-c8d7de52a726}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\4N0omMK-.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\g_rGeD_K0Rg0S.dll"


// Trojan.Agent(1):
// AutoRun:"incognito","C:\WINDOWS\system32\incognito.exe","flagifnofile=1"
AutoRun:"incognito","<$SYSDIR>\incognito.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","incognito"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\incognito.exe"
File:"<$FILE_EXE>","<$SYSDIR>\incognito.exe"


// Trojan.Agent(2):
// Name nach Kaspersky
// Siehe auch hier: http://www.threatexpert.com/report.aspx?md5=3a86fe97f44a56b275b2cf3decc075b3
// AutoRun:"MsWerr","RUNDLL32.EXE C:\Windows\system32\xm1985.dll,w","flagifnofile=1"
AutoRun:"MsWerr","<$SYSDIR>\xm1985.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MsWerr"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\Windows\system32\xm1985.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xm1985.dll"


// Trojan.Agent(3):
// AutoRun:"Display Driver","C:\Users\Paster\AppData\Local\Temp\dispdrv.exe","flagifnofile=1"
AutoRun:"Display Driver","<$LOCALAPPDATA>\Temp\dispdrv.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Display Driver"
// File:"<$FILE_EXE>","C:\Users\Paster\AppData\Local\Temp\dispdrv.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\dispdrv.exe"


// Trojan.Agent(4):
// AutoRun:"Win32Update","C:\Users\JUSTIN~1\AppData\Local\Temp\0.08403983946818949.exe","flagifnofile=1"
AutoRun:"Win32Update","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Win32Update"
// File:"<$FILE_EXE>","C:\Users\JUSTIN~1\AppData\Local\Temp\0.08403983946818949.exe"


// Trojan.Agent(5):
// AutoRun:"Lsass Service","C:\Users\Justin yarborough\AppData\Roaming\Microsoft\Windows\lsass.exe","flagifnofile=1"
AutoRun:"Lsass Service","<$APPDATA>\Microsoft\Windows\lsass.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Lsass Service"
// File:"<$FILE_EXE>","C:\Users\Justin yarborough\AppData\Roaming\Microsoft\Windows\lsass.exe"
File:"<$FILE_EXE>","<$APPDATA>\Microsoft\Windows\lsass.exe"


// Trojan.Agent(6):
// Name des Autostartes und Dateiname sind fest!
// Siehe auch hier: http://www.systemlookup.com/search.php?list=%26type=name%26search=SfKg6wIPuS%26s=
// AutoRun:"SfKg6wIPuS","C:\Documents and Settings\Erik Fowler\Application Data\Microsoft\Windows\oulwsv.exe","flagifnofile=1"
AutoRun:"SfKg6wIPuS","<$APPDATA>\Microsoft\Windows\oulwsv.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SfKg6wIPuS"
// File:"<$FILE_EXE>","C:\Documents and Settings\Erik Fowler\Application Data\Microsoft\Windows\oulwsv.exe"
File:"<$FILE_EXE>","<$APPDATA>\Microsoft\Windows\oulwsv.exe"


// Trojan.Ambler:
// Dateinamen fest!
// Siehe hier: http://www.systemlookup.com/search.php?list=%26type=clsid%26search={8BFD4136-BF8E-4136-A6BF-62A538A82934}%26s=
BrowserHelperEx:"Internet Explorer Plugin","filename=bzhcwcio2.dll"
BrowserHelperEx:"Internet Explorer Plugin","filename=biooz90.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8BFD4136-BF8E-4136-A6BF-62A538A82934}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8BFD4136-BF8E-4136-A6BF-62A538A82934}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bzhcwcio2.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\biooz90.dll"


// Trojan.Autorun:
// AutoRun:"","C:\WINDOWS\system\KEYBOARD.exe","flagifnofile=1"
AutoRun:"","<$WINDIR>\system\KEYBOARD.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\",""
// File:"<$FILE_EXE>","C:\WINDOWS\system\KEYBOARD.exe"
File:"<$FILE_EXE>","<$WINDIR>\system\KEYBOARD.exe"


// Trojan.FakeAlert.ttam(1):
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=userinit.exe,C:\WINDOWS\system32\scvhost\svchost.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\scvhost\svchost.exe"
File:"<$FILE_EXE>","<$SYSDIR>\scvhost\svchost.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\scvhost","filename=svchost.exe"


// Trojan.FakeAlert.ttam(2):
// Google liefert nicht viele Ergebnisse; sind aber böse Einträge
// AutoRun:"xplocalClient","rundll32.exe "C:\Users\a.kraemer\AppData\Local\xplocalClient\xplocalClient.dll", DllInit","flagifnofile=1"
AutoRun:"xplocalClient","<$LOCALAPPDATA>\xplocalClient\xplocalClient.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","xplocalClient"
// File:"<$FILE_EXE>","rundll32.exe "C:\Users\a.kraemer\AppData\Local\xplocalClient\xplocalClient.dll", DllInit"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\xplocalClient\xplocalClient.dll"
Directory:"<$DIR_APPDATA>","<$LOCALAPPDATA>\xplocalClient"
// AutoRun:"ntstream97","C:\Users\a.kraemer\AppData\Roaming\ntstream97\ntstream97.exe","flagifnofile=1"
AutoRun:"ntstream97","<$APPDATA>\ntstream97\ntstream97.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ntstream97"
// File:"<$FILE_EXE>","C:\Users\a.kraemer\AppData\Roaming\ntstream97\ntstream97.exe"
File:"<$FILE_EXE>","<$APPDATA>\ntstream97\ntstream97.exe"
Directory:"<$DIR_APPDATA>","<$LOCALAPPDATA>\ntstream97"


// Trojan.IRCBot:
AutoRun:"Windows Boot Process","<$SYSDIR>\WinBoot.exe","flagifnofile=1"
AutoRun:"Windows Boot","<$SYSDIR>\WinBoot.exe","flagifnofile=1"
AutoRun:"Windows Booter","<$SYSDIR>\WinBoot.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Boot Process"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Boot"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Booter"
File:"<$FILE_EXE>","<$SYSDIR>\WinBoot.exe"


// Trojan.Virtumonde(1):
// ACHTUNG: Ungewöhnlicher Pfad für Virtumonde in den O21/22 Einträgen!!!
BrowserHelperEx:"*","filename=ek9pkl9h0i.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a3ba40a2-74f0-42bd-f434-00b15a2c8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a3ba40a2-74f0-42bd-f434-00b15a2c8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ek9pkl9h0i.dll"

BrowserHelperEx:"*","filename=zavisomu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{69949d07-aadb-4873-b3bf-84595f602f47}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{69949d07-aadb-4873-b3bf-84595f602f47}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zavisomu.dll"

BrowserHelperEx:"*","filename=azusafuzawosa.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{697ab581-b493-05ea-e032-27f224e527e7}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{697ab581-b493-05ea-e032-27f224e527e7}"
File:"<$FILE_LIBRARY>","<$WINDIR>\azusafuzawosa.dll"

// AutoRun:"mlmkhisys","rundll32.exe "hgdeeb.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\hgdeeb.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","mlmkhisys"
// File:"<$FILE_EXE>","rundll32.exe "hgdeeb.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hgdeeb.dll"

// AutoRun:"ddaabcdrv","rundll32.exe "ddawtq.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\ddawtq.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ddaabcdrv"
// File:"<$FILE_EXE>","rundll32.exe "ddawtq.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ddawtq.dll"

// AutoRun:"pmnmllsys","rundll32.exe "hgdeeb.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\hgdeeb.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","pmnmllsys"
// File:"<$FILE_EXE>","rundll32.exe "hgdeeb.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hgdeeb.dll"

// AutoRun:"legewivay","Rundll32.exe "c:\windows\system32\yovasuji.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\yovasuji.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","legewivay"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\yovasuji.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yovasuji.dll"

// AutoRun:"Etihosulizegos","rundll32.exe "c:\windows\ajoramiyaparo.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ajoramiyaparo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Etihosulizegos"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\ajoramiyaparo.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ajoramiyaparo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","toyipivo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\toyipivo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","kipiheba.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kipiheba.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yovasuji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yovasuji.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","hupebogi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hupebogi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\doriyubi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\doriyubi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","hihosove.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hihosove.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nanehutu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nanehutu.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ddaba","DllName=ddaba.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ddaba.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","DGR905","DllName=DGR905.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\DGR905.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","kxpdbyna","DllName=<$SYSDIR>\kxpdbyna.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kxpdbyna.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","odcfguan","DllName=odcfguan.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\odcfguan.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","vtUKawww","DllName=vtUKawww.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vtUKawww.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","runuguyer","runuguyer={60dafdd0-c0a7-4702-8175-f02c8e06363d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pepupefe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vunopohek","vunopohek={d00010cb-3afd-4716-8bf3-8f2668003212}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pepupefe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","lepawaheb","lepawaheb={0f121f27-f661-4026-bbd6-5730682f482e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pepupefe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","mohemavav","mohemavav={4a3ff5c1-faa3-4cd6-b03b-83ae9b5e26ae}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pepupefe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","punifihuj","punifihuj={225687a4-0f40-4d01-bc46-a6dd75bfb30d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yovasuji.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nudidafah","nudidafah={de5e428d-a58d-4abe-a586-e7a9c0db4edd}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","giriniyuy","giriniyuy={a17cb606-43bf-4cb5-a02e-b6d0b5bddbc5}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={de5e428d-a58d-4abe-a586-e7a9c0db4edd}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={a17cb606-43bf-4cb5-a02e-b6d0b5bddbc5}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={225687a4-0f40-4d01-bc46-a6dd75bfb30d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yovasuji.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={60dafdd0-c0a7-4702-8175-f02c8e06363d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pepupefe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={d00010cb-3afd-4716-8bf3-8f2668003212}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pepupefe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={0f121f27-f661-4026-bbd6-5730682f482e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pepupefe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={4a3ff5c1-faa3-4cd6-b03b-83ae9b5e26ae}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pepupefe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","<$SYSDIR>\ek9pkl9h0i.dll","<$SYSDIR>\ek9pkl9h0i.dll={a3ba40a2-74f0-42bd-f434-00b15a2c8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ek9pkl9h0i.dll"


// Trojan.Virtumonde(2):
// Aus einem Logfile von DDS:
File:"<$FILE_LIBRARY>","<$SYSDIR>\fugodalo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\maweyeri.dll"
File:"<$FILE_EXE>","<$SYSDIR>\giviminu.exe"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v86

Thread Tools

Display

New Malware v86

Posting Permissions