Code:
:: New Malware v91
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-03-23}
// Malware.Smitfraud:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","auras","auras={f0d4f88e-e1f8-460f-a41c-6cfb7f73af79}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xskmoqx.dll"
// Spyware.AdRotator:
BrowserHelperEx:"spicetraffic","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{de585170-99d1-45b3-0172-0db4cfc87d3a}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{de585170-99d1-45b3-0172-0db4cfc87d3a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\83c13d6c-1fa4-e069-f378-c18b8f950403.dll"
// Trojan.Agent(1):
// Es ist zu überlegen, ob der Name des Autostartes zufällig ist oder nicht
// So eine exe Datei mit dem Namen explorar.exe habe ich euch vor nicht gar so langer Zeit schon mal geschickt!
// AutoRun:"svctt","c:\windows\config\explorar.exe","flagifnofile=1"
AutoRun:"svctt","<$WINDIR>\config\explorar.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","svctt"
// File:"<$FILE_EXE>","c:\windows\config\explorar.exe"
File:"<$FILE_EXE>","<$WINDIR>\config\explorar.exe"
// Trojan.Agent(2):
// AutoRun:"services","c:\windows\services.exe","flagifnofile=1"
AutoRun:"services","<$WINDIR>\services.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","services"
// File:"<$FILE_EXE>","c:\windows\services.exe"
File:"<$FILE_EXE>","<$WINDIR>\services.exe"
// Trojan.Agent.ddod:
// AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","c:\docume~1\admini~1\locals~1\temp\cmd.exe","flagifnofile=1"
AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","<$LOCALSETTINGS>\temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf87efjhdsf87f3jfsdi7fhsujfd"
// File:"<$FILE_EXE>","c:\docume~1\admini~1\locals~1\temp\cmd.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\temp\cmd.exe"
// Trojan.FakeAlert.ttam:
// Schon wieder so ein komischer Eintrag; du musst echt mal zusehen, dass du dazu Dateien bekommst, wenn du es so nicht aufnehmen kannst ;-)
// AutoRun:"browsestoClient","rundll32.exe "C:\Dokumente und Einstellungen\cattivo\Lokale Einstellungen\Anwendungsdaten\browsestoClient\browsestoClient.dll", DllInit","flagifnofile=1"
AutoRun:"browsestoClient","<$LOCALAPPDATA>\browsestoClient\browsestoClient.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","browsestoClient"
// File:"<$FILE_EXE>","rundll32.exe "C:\Dokumente und Einstellungen\cattivo\Lokale Einstellungen\Anwendungsdaten\browsestoClient\browsestoClient.dll", DllInit"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\browsestoClient\browsestoClient.dll"
Directory:"<$DIR_APPDATA>","<$LOCALAPPDATA>\browsestoClient"
// Trojan.Virtumonde(1):
// Bitte einaml um die Reste (O 21) kümmern, die konnte Spybot nicht entfernen!
BrowserHelperEx:"*","filename=audiode.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{85FB9DF4-5609-43BA-998B-3E32B2FF8FAF}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{85FB9DF4-5609-43BA-998B-3E32B2FF8FAF}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\audiode.dll"
BrowserHelperEx:"*","filename=zujimoru.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{d68753c6-5586-4f99-a4fd-bf1be4a64147}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{d68753c6-5586-4f99-a4fd-bf1be4a64147}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\zujimoru\zujimoru.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\zujimoru"
BrowserHelperEx:"*","filename=zaq8epcpea.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9BA40A1-74F1-52BD-F434-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9BA40A1-74F1-52BD-F434-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zaq8epcpea.dll"
// AutoRun:"fediwejafu","Rundll32.exe "C:\ProgramData\fenozivi\fenozivi.dll",s","flagifnofile=1"
AutoRun:"*","<$COMMONAPPDATA>\fenozivi\fenozivi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fediwejafu"
// File:"<$FILE_EXE>","Rundll32.exe "C:\ProgramData\fenozivi\fenozivi.dll",s"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\fenozivi\fenozivi.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\fenozivi"
// AutoRun:"fabufimig","Rundll32.exe "c:\windows\system32\herifolu.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\herifolu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fabufimig"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\herifolu.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\herifolu.dll"
// AutoRun:"tiyumuloku","Rundll32.exe "yesakuno.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\yesakuno.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tiyumuloku"
// File:"<$FILE_EXE>","Rundll32.exe "yesakuno.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yesakuno.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dsprpres32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dsprpres32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","pzsxam.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pzsxam.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","vwrfir.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vwrfir.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","bclswv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bclswv.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\movulohu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\movulohu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\luyemitu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\luyemitu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tihaduza.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tihaduza.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\notugaji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\notugaji.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","vahoremo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vahoremo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zazovuba.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zazovuba.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wezunohi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wezunohi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\fihidivi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fihidivi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dpvvox32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpvvox32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$COMMONAPPDATA>\bukekuja\bukekuja.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\bukekuja\bukekuja.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","b8ae2e09705","DllName=<$SYSDIR>\dsprpres32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dsprpres32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","yaYqNGWm","DllName=<$SYSDIR>\yaYqNGWm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yaYqNGWm.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rirutetik","rirutetik={a7633869-a38f-4d6f-9a96-26201ffc0583}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","fozayajuj","fozayajuj={1e006264-ef1e-4768-bb11-4347d16c04ca}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\luyemitu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","gedojuyim","gedojuyim={081ebe6c-4278-4c94-92ce-df090d7a7d3b}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nopojihol","nopojihol={5b318ead-b2d0-445e-93e9-0aaeeb0b3c70}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","pukufajeg","pukufajeg={727dccb5-9730-4865-9d78-24ddb79b7594}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kawijewus","kawijewus={9d80484b-7e74-48e2-b9d0-2b4329249ed3}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","tepogikit","tepogikit={722cafa2-76d2-48f2-91bd-dc16e96ad4c8}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yoyitosin","yoyitosin={1a974a12-eb44-4e62-bddb-fef45bda1ec9}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","judelitep","judelitep={aeb457a0-61b2-4e7c-8be6-273c01b3efeb}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","tebleepez","tebleepez={dca2c872-2124-4dc0-85b4-bbd614a23700}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={356ce5a4-6712-46f1-b1f7-6e14a6277d0f}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={ebfc5875-d980-4d88-80eb-0fc2f34bdbbc}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={25578af4-921d-4e0f-98c6-7cd3ab2be0c2}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={1e006264-ef1e-4768-bb11-4347d16c04ca}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\luyemitu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jsg9dgjisdogje94guiofjgd","jsg9dgjisdogje94guiofjgd={A9BA40A1-74F1-52BD-F434-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zaq8epcpea.dll"
// Trojan.Virtumonde(2):
File:"<$FILE_LIBRARY>","<$SYSDIR>\dijuzihi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\habetosu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gukevasi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\desoyahi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fozusayo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\habetosu.dll"
File:"<$FILE_EXE>","<$SYSDIR>\mesafari.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\witeyaza.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yesakuno.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zumunope.dll"
New Malware v91
Reply With Quote