Code:
:: New Malware v89
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-03-21}
// Adware.ChameleonTom:
// Generiert ständig pop ups mit lästiger Werbung
// Siehe auch hier: http://www.systemlookup.com/search.php?list=%26type=clsid%26search={75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F}%26s=
BrowserHelperEx:"wit for ie","filename=wi4ie.dll"
BrowserHelperEx:"chameleontom","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{965f0970-d449-327f-881d-07335cc31647}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{965f0970-d449-327f-881d-07335cc31647}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\aVCE9MGWZ_LXph.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\ChameleonTom\wit4ie.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\ChameleonTom"
// Malware.FakeAdobeUpdate:
// Siehe auch hier: http://forum.avira.de/wbb/index.php?page=Thread%26threadID=108294
// Oder auch hier: http://forum.avira.com/wbb/index.php?page=Thread%26threadID=108201
// Spioniert Passwörter aus
// AutoRun:"Getdo","rundll32.exe "C:\Documents and Settings\Bob\Application Data\Adobe\Update\flacor.dat"","flagifnofile=1"
AutoRun:"Getdo","<$APPDATA>\Adobe\Update\flacor.dat","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Getdo"
// File:"<$FILE_EXE>","rundll32.exe "C:\Documents and Settings\Bob\Application Data\Adobe\Update\flacor.dat""
File:"<$FILE_DATA>","<$APPDATA>\Adobe\Update\flacor.dat"
// PUPS.GomSearch:
// Siehe auch hier: http://www.systemlookup.com/search.php?type=clsid%26search={375A6AB2-FEEC-445D-B853-2139FB561F80}%26s=
BrowserHelperEx:"gsearch","filename=gsearch.dll"
BrowserHelperEx:"gsearch","filename=gsearch2.dll"
BrowserHelperEx:"gsearch","filename=ghelper.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{375A6AB2-FEEC-445D-B853-2139FB561F80}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{375A6AB2-FEEC-445D-B853-2139FB561F80}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\GRETECH\GomSearch\gsearch.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\GRETECH\GomSearch\gsearch2.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\GRETECH\GomSearch\ghelper.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\GRETECH\GomSearch"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\GRETECH"
// Spyware.Marketscore.RelevantKnowledge:
// AutoRun:"RelevantKnowledge","c:\program files (x86)\relevantknowledge\rlvknlg.exe -boot","flagifnofile=1"
AutoRun:"RelevantKnowledge","<$PROGRAMFILES>\relevantknowledge\rlvknlg.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","RelevantKnowledge"
// File:"<$FILE_EXE>","c:\program files (x86)\relevantknowledge\rlvknlg.exe -boot"
File:"<$FILE_EXE>","<$PROGRAMFILES>\relevantknowledge\rlvknlg.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\relevantknowledge"
// Spyware.Spynet:
// uExplorerRun: [Policies] c:\windows\system32\shellmgmt\shell.exe
// mExplorerRun: [Policies] c:\windows\system32\shellmgmt\shell.exe
AutoRun:"Policies","<$SYSDIR>\shellmgmt\shell.exe","flagifnofile=1"
// AutoRun:"HKLM","c:\windows\system32\shellmgmt\shell.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\shellmgmt\shell.exe","flagifnofile=1"
// AutoRun:"HKCU","c:\windows\system32\shellmgmt\shell.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\shellmgmt\shell.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDIR>\shellmgmt\shell.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\shellmgmt","filename=shell.exe"
// Trojan.FakeAlert.ttam:
// Habe leider keine Datei für euch; vielleicht habt ihr ja schon selber eine?
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","AirfoilInject3.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\AirfoilInject3.dll"
// Trojan.Fraudpack:
// Bei der Datei "sshnas21.dll" handelt es sich um die gleiche, wie die, die ich euch mit der Datei "Trojan.Fraudpack(1)" als sample geschickt habe
// Hoffentlich könnt ihr es jetzt aufnehmen :-)
// AutoRun:"Canaveral","rundll32.exe C:\Windows\system32\sshnas21.dll,BackupReadW","flagifnofile=1"
AutoRun:"Canaveral","<$SYSDIR>\sshnas21.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Canaveral"
// File:"<$FILE_EXE>","rundll32.exe C:\Windows\system32\sshnas21.dll,BackupReadW"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sshnas21.dll*"
// AutoRun:"YVIBBBHA8C","C:\Users\Admin\AppData\Local\Temp\Ndh.exe","flagifnofile=1"
// AutoRun:"YVIBBBHA8C","C:\Users\Pieter\AppData\Local\Temp\Pqh.exe","flagifnofile=1"
AutoRun:"YVIBBBHA8C","<LOCALAPPDATA>\Temp\???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","YVIBBBHA8C"
// File:"<$FILE_EXE>","C:\Users\Admin\AppData\Local\Temp\Ndh.exe"
File:"<$FILE_EXE>","<LOCALAPPDATA>\Temp\Ndh.exe"
File:"<$FILE_EXE>","<LOCALAPPDATA>\Temp\Pqh.exe"
// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=dsdmoprp32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{045F53DE-48F1-4785-A306-62D3A5180F8b}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{045F53DE-48F1-4785-A306-62D3A5180F8b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dsdmoprp32.dll"
// AutoRun:"hgfeffsys","rundll32.exe "hgdebc.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\hgdebc.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","hgfeffsys"
// File:"<$FILE_EXE>","rundll32.exe "hgdebc.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hgdebc.dll"
// AutoRun:"ljkkiidrv","rundll32.exe "geeedb.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\geeedb.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ljkkiidrv"
// File:"<$FILE_EXE>","rundll32.exe "geeedb.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\geeedb.dll"
// AutoRun:"nowigirave","Rundll32.exe "C:\WINDOWS\system32\yoyorena.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\yoyorena.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nowigirave"
// File:"<$FILE_EXE>","Rundll32.exe "C:\WINDOWS\system32\yoyorena.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yoyorena.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","vuzofafu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vuzofafu.dll"
// RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","149250e6658","DllName=<$SYSDIR>\hhactivex32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","*","DllName=<$SYSDIR>\hhactivex32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hhactivex32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0021985","DllName=<$SYSDIR>\__c0021985.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c0021985.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c003D391","DllName=<$SYSDIR>\__c003D391.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c003D391.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c005BDD6","DllName=<$SYSDIR>\__c005BDD6.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c005BDD6.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0060224","DllName=<$SYSDIR>\__c0060224.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c0060224.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c008A04C","DllName=<$SYSDIR>\__c008A04C.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c008A04C.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c008DAC","DllName=<$SYSDIR>\__c008DAC.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c008DAC.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c00C5AE9","DllName=<$SYSDIR>\__c00C5AE9.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00C5AE9.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c00DB4F1","DllName=<$SYSDIR>\__c00DB4F1.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00DB4F1.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c00F8B7C","DllName=<$SYSDIR>\__c00F8B7C.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00F8B7C.dat"
// Trojan.Virtumonde(2):
// Aus verschiedenen Logfiles
File:"<$FILE_LIBRARY>","<$SYSDIR>\donikibi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dawesiye.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gemuyisu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hobobamo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pesovafo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sesomowo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\teliwoje.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\begadosi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hajigira.dll"
New Malware v89
Reply With Quote