New Malware v97

**Matt** · 2010-04-05, 21:44

I've collected detection rules for the following Malware:

Adware.Navi
Adware.Starware
Adware.TopBrowsing
Spyware.AdRotator
Spyware.FakeAdobeUpdater
Spyware.Spynet
Trojan.Virtumonde(2)

Category: Trojan

Code:

:: New Malware v97
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-05}


// Adware.Navi:
// Name nach Kaspersky
// Siehe auch hier: http://www.systemlookup.com/CLSID/69080-vcredist_dll.html
BrowserHelperEx:"msiebr Class","filename=vcredist.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6b844b04-34cb-4430-a3c3-9ad5f16a1b49}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6b844b04-34cb-4430-a3c3-9ad5f16a1b49}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vcredist.dll"


// Adware.Starware:
// Siehe auch hier: http://www.systemlookup.com/CLSID/3526-Starware_dll_Starware_dll_random_digit.html
BrowserHelperEx:"*","filename=Starware???.dll"
BrowserHelperEx:"*","filename=Starware.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{45A4902E-4479-4EAE-A186-8D0F7E4C78DE}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{45A4902E-4479-4EAE-A186-8D0F7E4C78DE}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Starware???\bin\Starware???.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Starware\bin\Starware.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Starware???\bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Starware\bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Starware???"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Starware"


// Adware.TopBrowsing:
// Siehe auch hier: http://www.systemlookup.com/CLSID/3423-plugin_dll_plugin1_dll.html
BrowserHelperEx:"BHO","filename=plugin.dll"
BrowserHelperEx:"BHO","filename=plugin1.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9125F250-EB4F-49fe-AE17-C17665873A5C}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9125F250-EB4F-49fe-AE17-C17665873A5C}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\BHO\plugin.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\BHO\plugin1.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\BHO"


// Spyware.AdRotator:
BrowserHelperEx:"everyflv","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{bb8d6a34-e2d6-8789-fd39-b6c24c2b1e36}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{bb8d6a34-e2d6-8789-fd39-b6c24c2b1e36}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\N0x_cxlsSk9UHo.dll"


// Spyware.FakeAdobeUpdater:
// AutoRun:"mmplayer.exe","C:\Dokumente und Einstellungen\***\Anwendungsdaten\Adobe\mmplayer.exe","flagifnofile=1"
AutoRun:"mmplayer.exe","<$APPDATA>\Adobe\mmplayer.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","mmplayer.exe"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mmplayer.exe"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\***\Anwendungsdaten\Adobe\mmplayer.exe"
File:"<$FILE_EXE>","<$APPDATA>\Adobe\mmplayer.exe"


// Spyware.Spynet:
// uExplorerRun: [Policies] c:\directory\cybergate\windowsupdate\update.exe
// mExplorerRun: [Policies] c:\directory\cybergate\windowsupdate\update.exe
AutoRun:"Policies","<$SYSDRIVE>\directory\cybergate\windowsupdate\update.exe","flagifnofile=1"
// AutoRun:"HKLM","c:\directory\cybergate\windowsupdate\update.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDRIVE>\directory\cybergate\windowsupdate\update.exe","flagifnofile=1"
// AutoRun:"HKCU","c:\directory\cybergate\windowsupdate\update.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDRIVE>\directory\cybergate\windowsupdate\update.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDRIVE>\directory\cybergate\windowsupdate\update.exe"
Directory:"<$DIR_PROG>","$SYSDRIVE>\directory\cybergate\windowsupdate"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\directory\cybergate"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\directory"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=votojoye.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{7d111acb-ae8d-410d-b568-7b382bedd32f}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{7d111acb-ae8d-410d-b568-7b382bedd32f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\votojoye.dll"

BrowserHelperEx:"*","filename=ziratuvi.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{65d2a1a1-6130-48b5-98bc-489135b78898}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{65d2a1a1-6130-48b5-98bc-489135b78898}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ziratuvi.dll"

// AutoRun:"wenibolafu","Rundll32.exe "yileduyu.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\yileduyu.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wenibolafu"
// File:"<$FILE_EXE>","Rundll32.exe "yileduyu.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yileduyu.dll"

// AutoRun:"tikawitog","Rundll32.exe "c:\windows\system32\kunuteva.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\kunuteva.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tikawitog"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\kunuteva.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kunuteva.dll"

// AutoRun:"rironedori","Rundll32.exe "yelesato.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\yelesato.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rironedori"
// File:"<$FILE_EXE>","Rundll32.exe "yelesato.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yelesato.dll"

// AutoRun:"Fgisit","rundll32.exe "c:\windows\upayiyuk.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\upayiyuk.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Fgisit"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\upayiyuk.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\upayiyuk.dll"

// AutoRun:"kosekudod","Rundll32.exe "c:\windows\system32\hilemebu.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\hilemebu.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kosekudod"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\hilemebu.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hilemebu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","rilalelu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rilalelu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kunuteva.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kunuteva.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","suwumuwo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\suwumuwo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","lebobofu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lebobofu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nisinupo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nisinupo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nukiyofi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nukiyofi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hilemebu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hilemebu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","siwijumum","siwijumum={b742e234-8a39-4c67-8794-e2661a914579}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kunuteva.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","zavumutah","zavumutah={b4866378-8491-41dc-81b0-fe31a632962d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\habanuvo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","sojihofef","sojihofef={a3ab4004-aa82-48ba-a989-c68927c895a3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nukiyofi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","lekipibey","lekipibey={5ce86582-61be-4e39-906a-dd2bb411c2e6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hilemebu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={b4866378-8491-41dc-81b0-fe31a632962d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\habanuvo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={a3ab4004-aa82-48ba-a989-c68927c895a3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nukiyofi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={5ce86582-61be-4e39-906a-dd2bb411c2e6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hilemebu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={b742e234-8a39-4c67-8794-e2661a914579}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kunuteva.dll"


// Trojan.Virtumonde(2):
File:"<$FILE_LIBRARY>","<$SYSDIR>\gobewowi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gogemate.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hejapive.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kezamubu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vofehafi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wiruguri.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zevihami.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mogeviga.dll"
File:"<$FILE_TEMP>","<$SYSDIR>\nivubuti.dll.tmp"
File:"<$FILE_TEMP>","<$SYSDIR>\pevekane.dll.tmp"
File:"<$FILE_TEMP>","<$SYSDIR>\tikaziju.dll.tmp"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v97

Thread Tools

Display

New Malware v97

Posting Permissions