New Malware v92

**Matt** · 2010-03-25, 17:34

I've collected detection rules for the following Malware:

Malware.Lop
Spyware.AdRotator
Spyware.Spynet(2)
Trojan.Agent(3)
Trojan.Agent.syn
Trojan.FakeAlert.ttam(2)
Trojan.SpyEye
Trojan.Virtumonde(2)
Worm.Skipi
Worm.Solow

Category: Trojan

Code:

:: New Malware v92
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-03-25}


// Malware.Lop:
// AutoRun:"Drv Info",""C:\ProgramData\Bore Send Send.9nxmjdi","flagifnofile=1"
AutoRun:"Drv Info","<$COMMONAPPDATA>\Bore Send Send.*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Drv Info"
// File:"<$FILE_EXE>",""C:\ProgramData\Bore Send Send.9nxmjdi"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\Bore Send Send.*"


// Spyware.AdRotator:
BrowserHelperEx:"gwprimawega","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9eb89036-caa7-7df4-d729-76e50b084f88}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9eb89036-caa7-7df4-d729-76e50b084f88}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\-cBlU4-z0.dll"


// Spyware.Spynet(1)
// AutoRun:"HKLM","C:\Windows\System32\Microsoft\Svchost.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\Microsoft\Svchost.exe","flagifnofile=1"
// AutoRun:"HKCU","C:\Windows\System32\Microsoft\Svchost.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\Microsoft\Svchost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDIR>\Microsoft\Svchost.exe"


// Spyware.Spynet(2):
// Hab auch Avira auf meinem Rechner, finde aber keine Avira.exe unter Appdata\Roaming :-)
// Soviel ich weiß, erstellt AntiVir auch keinen Autostarteintrag mit dem Namen HKCU ;-)
// AutoRun:"HKCU","C:\Users\Toshiba_Notebook\AppData\Roaming\Avira\Avira.exe","flagifnofile=1"
AutoRun:"HKCU","<$APPDATA>\Roaming\Avira\Avira.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
// File:"<$FILE_EXE>","C:\Users\Toshiba_Notebook\AppData\Roaming\Avira\Avira.exe"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\Avira\Avira.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Roaming\Avira","filename=Avira.exe"


// Trojan.Agent(1):
// Siehe auch hier: http://www.superantispyware.com/malwarefiles/WOW2010.DLL.html
// AutoRun:"aionbmp","RUNDLL32.EXE C:\WINDOWS\system32\wow2010.dll,w","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\wow2010.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","aionbmp"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\WINDOWS\system32\wow2010.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wow2010.dll"


// Trojan.Agent(2):
// Beide Einträge zusammen aus einem Logfile; gehören wohl zusammen
// AutoRun:"Windows Update","C:\Windows\scvhost.exe","flagifnofile=1"
AutoRun:"Windows Update","<$WINDIR>\scvhost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update"
// AutoRun:"AntiVir","C:\Windows\scvhost.exe","flagifnofile=1"
AutoRun:"AntiVir","<$WINDIR>\scvhost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","AntiVir"
// File:"<$FILE_EXE>","C:\Windows\scvhost.exe"
File:"<$FILE_EXE>","<$WINDIR>\scvhost.exe"


// Trojan.Agent(3):
// Siehe auch hier: http://www.systemlookup.com/search.php?list=%26type=name%26search=cbssreg%26s=
// Bin mir bezüglich des Pfades nicht sicher...
// RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","cbssreg","DllName=C:\Dokumente und Einstellungen\All Users\Dokumente\Settings\cbss.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","cbssreg","DllName=<$COMMONDOCUMENTS>\Settings\cbss.dll"
File:"<$FILE_LIBRARY>","<$COMMONDOCUMENTS>\Settings\cbss.dll"
// Habe im gleichen Logfile von folgenden Autostart gefunden; den könntet ihr auch noch übernehmen
// AutoRun:"cbssreg","<$WINDIR>\TEMP\imqo.tmp\svchost.exe","flagifnofile=1"
AutoRun:"cbssreg","<$WINDIR>\TEMP\*\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","cbssreg"
// File:"<$FILE_EXE>","<$WINDIR>\TEMP\imqo.tmp\svchost.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\*.tmp\svchost.exe"
Directory:"<$DIR_PROG>","$WINDIR>\TEMP\*.tmp","filename=svchost.exe"


// Trojan.Agent.syn:
// AutoRun:"SyncMan","C:\WINXP\system32\SyncMan.exe","flagifnofile=1"
AutoRun:"SyncMan","<$SYSDIR>\SyncMan.exe","flagifnofile=1"
// AutoRun:"SyncMan","C:\Dokumente und Einstellungen\Krainer\SyncMan.exe","flagifnofile=1"
AutoRun:"SyncMan","<$PROFILE>\SyncMan.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SyncMan"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SyncMan"
File:"<$FILE_EXE>","<$SYSDIR>\SyncMan.exe"
File:"<$FILE_EXE>","<$PROFILE>\SyncMan.exe"


// Trojan.FakeAlert.ttam(1):
// einfach mal googlen :-)
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe spwr.bjo gwgvj"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","spwr.bjo *"
File:"<$FILE_DATA>","<$SYSDIR>\spwr.bjo"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe bfvf.bxo dompgam"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","bfvf.bxo *"
File:"<$FILE_DATA>","<$SYSDIR>\bfvf.bxo"


// Trojan.FakeAlert.ttam(2):
// "brauchna wa files" ?  ;-)
// Hab dir ähnliche Einträge erst vor kurzem geschickt; du musst dazu mal files finden.... oder ich ^^
// AutoRun:"deskwmd9","rundll32.exe "C:\Users\Sandra\AppData\Local\deskwmd9\deskwmd9.dll", DllInit","flagifnofile=1"
AutoRun:"deskwmd9","<$LOCALAPPDATA>\deskwmd9\deskwmd9.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","deskwmd9"
// File:"<$FILE_EXE>","rundll32.exe "C:\Users\Sandra\AppData\Local\deskwmd9\deskwmd9.dll", DllInit"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\deskwmd9\deskwmd9.dll"
Directory:"<$DIR_APPDATA>","<$LOCALAPPDATA>\deskwmd9"


// Trojan.SpyEye:
// Siehe auch hier: http://www.systemlookup.com/Startup/21400-cleansweep_exe.html
// AutoRun:"cleansweep.exe","C:\cleansweep.exe\cleansweep.exe","flagifnofile=1"
AutoRun:"cleansweep.exe","<$SYSDRIVE>\cleansweep.exe\cleansweep.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","cleansweep.exe"
// File:"<$FILE_EXE>","C:\cleansweep.exe\cleansweep.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\cleansweep.exe\cleansweep.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\cleansweep.exe"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=wwlarxjn.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0851BE75-A864-49AF-B32C-F459BC7FD764}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0851BE75-A864-49AF-B32C-F459BC7FD764}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wwlarxjn.dll"

BrowserHelperEx:"*","filename=tgszkov.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{936E20ED-7EE8-4DA2-B740-C7D94EC63EEA}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{936E20ED-7EE8-4DA2-B740-C7D94EC63EEA}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tgszkov.dll"

BrowserHelperEx:"*","filename=grlj5u9hwd.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9BA40A1-74F1-52BD-F434-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9BA40A1-74F1-52BD-F434-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\grlj5u9hwd.dll"

BrowserHelperEx:"*","filename=sajijade.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{e27249f9-4e81-48f8-9bde-e4fb923dd67a}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{e27249f9-4e81-48f8-9bde-e4fb923dd67a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sajijade.dll"

BrowserHelperEx:"*","filename=fotahavi.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6d8b6f20-84a6-4020-82f3-954bde68928a}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6d8b6f20-84a6-4020-82f3-954bde68928a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fotahavi.dll"

BrowserHelperEx:"*","filename=miwaleju.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{539155a5-c5da-4ccd-ba67-e5a3172580df}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{539155a5-c5da-4ccd-ba67-e5a3172580df}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\miwaleju.dll"

// AutoRun:"suwijeruke","Rundll32.exe "jemitawa.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\jemitawa.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","suwijeruke"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jemitawa.dll"

// AutoRun:"yamuhitika","Rundll32.exe "rohaveri.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\rohaveri.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","yamuhitika"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rohaveri.dll"

// AutoRun:"vowokiliw","Rundll32.exe "c:\windows\system32\yiruvisi.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\yiruvisi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vowokiliw"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yiruvisi.dll"

// AutoRun:"Kpigopolo","rundll32.exe "C:\WINDOWS\aqilofos.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\aqilofos.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Kpigopolo"
File:"<$FILE_LIBRARY>","<$WINDIR>\aqilofos.dll"

// AutoRun:"mulikoyojo","Rundll32.exe "najowoku.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\najowoku.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","mulikoyojo"
File:"<$FILE_LIBRARY>","<$SYSDIR>\najowoku.dll"

// AutoRun:"Ananu","rundll32.exe "C:\Users\Nick\AppData\Local\isoxuxabibidovug.dll",Startup  ","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\isoxuxabibidovug.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Ananu"
// File:"<$FILE_EXE>","rundll32.exe "C:\Users\Nick\AppData\Local\isoxuxabibidovug.dll",Startup  "
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\isoxuxabibidovug.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","modubelo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\modubelo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kikuziru.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kikuziru.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\suzezufu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\suzezufu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","nozojehe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nozojehe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yiruvisi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yiruvisi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rakulela.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rakulela.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","lovisatog","lovisatog={cd5393da-26be-40d4-a0a2-0bb697adacad}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kikuziru.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","latosodey","latosodey={bde76cc3-7339-4367-8cee-aec9caa51dc4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yiruvisi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={bde76cc3-7339-4367-8cee-aec9caa51dc4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yiruvisi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={cd5393da-26be-40d4-a0a2-0bb697adacad}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kikuziru.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jsg9dgjisdogje94guiofjgd","jsg9dgjisdogje94guiofjgd={A9BA40A1-74F1-52BD-F434-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\grlj5u9hwd.dll"


// Trojan.Virtumonde(2):
// Aus einem Logfile von DDS:
File:"<$FILE_LIBRARY>","<$SYSDIR>\fotahavi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mowotefe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\layokete.dll"
File:"<$FILE_EXE>","<$SYSDIR>\puzowefo.exe"
File:"<$FILE_EXE>","<$SYSDIR>\riyutava.exe"


// Worm.Skipi:
// Siehe auch hier: http://www.systemlookup.com/search.php?list=%26type=name%26search=MsXSLT%26s=
// AutoRun:"MsXSLT","C:\WINDOWS\system32\msxslt3.exe","flagifnofile=1"
AutoRun:"MsXSLT","<$SYSDIR>\msxslt3.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","MsXSLT"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\msxslt3.exe"
File:"<$FILE_EXE>","<$SYSDIR>\msxslt3.exe"


// Worm.Solow:
// Siehe auch hier: http://www.symantec.com/security_response/writeup.jsp?docid=2007-022116-1047-99%26tabid=2
// AutoRun:"FS6519","C:\WINDOWS\FS6519.dll.vbs","flagifnofile=1"
AutoRun:"FS6519","<$WINDIR>\FS6519.dll.vbs","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","FS6519"
// File:"<$FILE_EXE>","C:\WINDOWS\FS6519.dll.vbs"
File:"<$FILE_DATA>","<$WINDIR>\FS6519.dll.vbs"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v92

Thread Tools

Display

New Malware v92

Posting Permissions