New Malware v106

**Matt** · 2010-04-29, 10:38

I've collected detection rules for the following Malware:

Rootkit.TDSS
Spyware.AdRotator
Spyware.WurldMedia
Trojan.Agent(8)
Trojan.DelfInject
Trojan.FakeAlert.ttam
Trojan.Fraudpack(2)
Trojan.Virtumonde

Category: Trojan

Code:

:: New Malware v106
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-29}


// Rootkit.TDSS:
// ---- Services - GMER 1.0.15 ----
// Service (*** hidden *** ) [BOOT] zcrgfi <-- ROOTKIT !!!
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\CurrentControlSet\Services\zcrgfi@Type 1
// Reg HKLM\SYSTEM\CurrentControlSet\Services\zcrgfi@Start 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\zcrgfi@ErrorControl 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\zcrgfi@Group Boot Bus Extender
// Reg HKLM\SYSTEM\CurrentControlSet\Services\zcrgfi@{d07dd28e-41cc-2465-b484-23c25500034a} 1
// Reg HKLM\SYSTEM\ControlSet004\Services\zcrgfi@Type 1
// Reg HKLM\SYSTEM\ControlSet004\Services\zcrgfi@Start 0
// Reg HKLM\SYSTEM\ControlSet004\Services\zcrgfi@ErrorControl 0
// Reg HKLM\SYSTEM\ControlSet004\Services\zcrgfi@Group Boot Bus Extender
// Reg HKLM\SYSTEM\ControlSet004\Services\zcrgfi@{d07dd28e-41cc-2465-b484-23c25500034a} 1


// Spyware.AdRotator:
// Habt ihr das schon alles?
BrowserHelperEx:"hotrevenue browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6236C5F4-56DE-C2DC-9C8C-7425D68F701D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6236C5F4-56DE-C2DC-9C8C-7425D68F701D}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{794CE617-FCAC-A573-CD56-998FBACCA717}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{794CE617-FCAC-A573-CD56-998FBACCA717}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4A476809-1114-F9E8-11C3-EC2BB0C583F0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4A476809-1114-F9E8-11C3-EC2BB0C583F0}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{c0745218-b667-f3f7-89ad-8848b9927739}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{c0745218-b667-f3f7-89ad-8848b9927739}"

BrowserHelperEx:"SmartAds browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8B3372A1-56F5-4DFD-ABDB-5EAE64D295B5}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8B3372A1-56F5-4DFD-ABDB-5EAE64D295B5}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{04AA4301-228F-4408-AC60-385AAB02A1EE}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{04AA4301-228F-4408-AC60-385AAB02A1EE}"

BrowserHelperEx:"ezLife browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5EFBB77D-E919-497A-8EB8-4A255B947383}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5EFBB77D-E919-497A-8EB8-4A255B947383}"

BrowserHelperEx:"flvdome","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{49348df7-5850-c5c4-dccc-903cba76298a}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{49348df7-5850-c5c4-dccc-903cba76298a}"

BrowserHelperEx:"profitizeme browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{63ED7A48-B232-6C10-37B1-377BE0EBEE94}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{63ED7A48-B232-6C10-37B1-377BE0EBEE94}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{3FD76F41-F21C-8284-84F8-A3A042036FF0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{3FD76F41-F21C-8284-84F8-A3A042036FF0}"

BrowserHelperEx:"profitmuse","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{674f50c1-9a35-da83-2e3c-dab029d1147d}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{674f50c1-9a35-da83-2e3c-dab029d1147d}"

BrowserHelperEx:"adHlpr Object","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0c21698b-11a0-4202-96fe-198d01082753}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0c21698b-11a0-4202-96fe-198d01082753}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{b57d74ae-d437-4412-a5a7-7a3971e8a1e8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{b57d74ae-d437-4412-a5a7-7a3971e8a1e8}"

// AutoRun:"ezLife","rundll32 "vrrymiex.dll",,Run","flagifnofile=1"
// AutoRun:"ezLife","rundll32 "eilbglco.dll",,Run","flagifnofile=1"
// AutoRun:"ezLife","rundll32 "atomdzty.dll",,Run","flagifnofile=1"
// AutoRun:"ezLife","rundll32 "tjvskwii.dll",,Run","flagifnofile=1"
// AutoRun:"ezLife","rundll32 "yfsvrcrb.dll",,Run","flagifnofile=1"
AutoRun:"ezLife","<$SYSDIR>\*.dll*","flagifnofile=1"

File:"<$FILE_LIBRARY>","<$SYSDIR>\gmeinxvapssqpgh.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uercqahqxlsnae.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kdmvnpscumexx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\unpitdgmleom.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\omjjxlpq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yebkdlmo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\3ed21ce5.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fYRMWK-ADzy-iWJ.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\atomdzty.dll"


// Spyware.WurldMedia:
BrowserHelperEx:"TChkBHO Class","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9857724B-4011-4735-B7EC-67FEFCDDEEA8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9857724B-4011-4735-B7EC-67FEFCDDEEA8}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zuplmavh.dll"


// Trojan.Agent(1):
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=userinit.exe,c:\windows\apppatch\smss.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$WINDIR>\apppatch\smss.exe,"
File:"<$FILE_EXE>","<$WINDIR>\apppatch\smss.exe"


// Trojan.Agent(2):
// Neue Variante von dem hier: http://www.systemlookup.com/Startup/21639-ex_08_exe.html
AutoRun:"sniffer","<$WINDIR>\Temp\_ex-08.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sniffer"
File:"<$FILE_EXE>","<$WINDIR>\Temp\_ex-08.exe"


// Trojan.Agent(3):
// Ich glaube, den AutoRun lsdefrag habt ihr schon mal aufgenommen, aber war da nicht die dazugehörige Datei eine exe? Hier ist es temp... Bitte um Kontrolle
// AutoRun:"lsdefrag","C:\DOCUME~1\EDDIER~1\LOCALS~1\Temp\sxwemcnaor.tmp","flagifnofile=1"
AutoRun:"lsdefrag","<$LOCALSETTINGS>\Temp\*.tmp","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","lsdefrag"
// File:"<$FILE_EXE>","C:\DOCUME~1\EDDIER~1\LOCALS~1\Temp\sxwemcnaor.tmp"


// Trojan.Agent(4):
// AutoRun:"WindowMessenger","C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe","flagifnofile=1"
AutoRun:"WindowMessenger","<$SYSDRIVE>\RECYCLER\*\WinSysApp.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WindowMessenger"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WindowMessenger"
// File:"<$FILE_EXE>","C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\RECYCLER\*","filename=WinSysApp.exe"


// Trojan.Agent(5):
// AutoRun:"Audio HD Driver","C:\Users\DickEvil\AppData\Local\Temp\S7QyERHLSO4.exe","flagifnofile=1"
AutoRun:"Audio HD Driver","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Audio HD Driver"
// File:"<$FILE_EXE>","C:\Users\DickEvil\AppData\Local\Temp\S7QyERHLSO4.exe"


// Trojan.Agent(6):
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/19519-callsysnt_exe.html
// O4 - HKCU\..\Policies\Explorer\Run: [settings] C:\Windows\callsysnt.exe
AutoRun:"settings","<$WINDIR>\callsysnt.exe","flagifnofile=1"


// Trojan.Agent(7):
// Traten zusammen auf!
// AutoRun:"sysmon64x.exe","C:\Users\Nate\AppData\Local\Temp\sysmon64x.exe","flagifnofile=1"
AutoRun:"sysmon64x.exe","<$LOCALAPPDATA>\Temp\sysmon64x.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysmon64x.exe"
// File:"<$FILE_EXE>","C:\Users\Nate\AppData\Local\Temp\sysmon64x.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\sysmon64x.exe"
// AutoRun:"davclnt.exe","C:\Users\Business\AppData\Local\Temp\davclnt.exe","flagifnofile=1"
AutoRun:"davclnt.exe","<$LOCALAPPDATA>\Temp\davclnt.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","davclnt.exe"
// File:"<$FILE_EXE>","C:\Users\Business\AppData\Local\Temp\davclnt.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\davclnt.exe"


// Trojan.Agent(8):
// Ähnliche Einträge habt ihr letztens aufgenommen, hier weitere Varianten dieses Trojaners
AutoRun:"Windows Update Manager","<$PROFILE>\winvcsn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update Manager"
File:"<$FILE_EXE>","<$PROFILE>\winvcsn.exe"

AutoRun:"Windows Service Manager","<$PROFILE>\winvsn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Service Manager"
File:"<$FILE_EXE>","<$PROFILE>\winvsn.exe"

AutoRun:"Windows Update Services","<$PROFILE>\winsvn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update Services"
File:"<$FILE_EXE>","<$PROFILE>\winsvn.exe"

AutoRun:"WindowsUpdateControl","<$PROFILE>\winvsnc.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WindowsUpdateControl"
File:"<$FILE_EXE>","<$PROFILE>\winvsnc.exe"


// Trojan.DelfInject:
AutoRun:"WinUpdMngr","<$PROFILE>\dlll.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinUpdMngr"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinUpdMngr"
File:"<$FILE_EXE>","<$PROFILE>\dlll.exe"


// Trojan.FakeAlert.ttam:
// Schon wieder sowas komisches... ^^ Habt ihr da files für? :-)
// AutoRun:"browserpcGlade","rundll32.exe "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\browserpcGlade\browserpcGlade.dll", DllInit","flagifnofile=1"
AutoRun:"browserpcGlade","<$LOCALAPPDATA>\browserpcGlade\browserpcGlade.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","browserpcGlade"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\browserpcGlade\browserpcGlade.dll", DllInit"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\browserpcGlade\browserpcGlade.dll"
Directory:"<$DIR_PROG>","<$LOCALAPPDATA>\browserpcGlade"


// Trojan.Fraudpack(1):
// AutoRun:"QZAIB7KITK","C:\Users\***\AppData\Local\Temp\Qds.exe","flagifnofile=1"
AutoRun:"QZAIB7KITK","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
AutoRun:"QZAIB7KITK","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
AutoRun:"QZAIB7KITK","<$WINDIR>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","QZAIB7KITK"
// File:"<$FILE_EXE>","C:\Users\***\AppData\Local\Temp\Qds.exe"


// Trojan.Fraudpack(2):
// AutoRun:"YVIBBBHA8C","C:\Users\Nate\APPDATA\LOCAL\TEMP\xrx .exe","flagifnofile=1"
AutoRun:"YVIBBBHA8C","<$LOCALAPPDATA>\TEMP\*.exe","flagifnofile=1"
AutoRun:"YVIBBBHA8C","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
AutoRun:"YVIBBBHA8C","<$WINDIR>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","YVIBBBHA8C"
// File:"<$FILE_EXE>","C:\Users\Nate\APPDATA\LOCAL\TEMP\xrx .exe"


// Trojan.Virtumonde:
BrowserHelperEx:"*","filename=pmkji.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{09FA5A40-F7CA-45EE-BB5C-DC64F7CAE130}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{09FA5A40-F7CA-45EE-BB5C-DC64F7CAE130}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pmkji.dll"

BrowserHelperEx:"*","filename=jogejase.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2ac897b5-ba2a-4e30-bddd-adc78b801312}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2ac897b5-ba2a-4e30-bddd-adc78b801312}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jogejase.dll"

BrowserHelperEx:"*","filename=amfqjrq.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{17B0F356-2D65-4F81-8EBE-A0E3FD306BCF}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{17B0F356-2D65-4F81-8EBE-A0E3FD306BCF}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\amfqjrq.dll"

BrowserHelperEx:"*","filename=kvpn0tj72v.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kvpn0tj72v.dll"

BrowserHelperEx:"*","filename=ep8h80ikt.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ep8h80ikt.dll"

BrowserHelperEx:"*","filename=ctl3dv232.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01443D17-503A-4537-94CD-3C372FEF15Ff}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01443D17-503A-4537-94CD-3C372FEF15Ff}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ctl3dv232.dll"

BrowserHelperEx:"*","filename=JIDEWOJO.DLL"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{e623ff84-bca2-469e-aa59-730c17858d4b}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{e623ff84-bca2-469e-aa59-730c17858d4b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\JIDEWOJO.DLL"

BrowserHelperEx:"*","filename=asycfilt32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{016122F4-D6AD-432C-AFA1-B0E93490F2F3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{016122F4-D6AD-432C-AFA1-B0E93490F2F3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\asycfilt32.dll"

AutoRun:"*","<$SYSDIR>\msmxlxxq.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kvbrck"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msmxlxxq.dll,w"

// AutoRun:"Pcica","rundll32.exe "c:\windows\ebatecoqa.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ebatecoqa.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Pcica"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\ebatecoqa.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ebatecoqa.dll"

// AutoRun:"nujuzugide","Rundll32.exe "jidewojo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\jidewojo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nujuzugide"
// File:"<$FILE_EXE>","Rundll32.exe "jidewojo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jidewojo.dll"

// AutoRun:"wevufulupe","Rundll32.exe "pihuzura.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\pihuzura.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wevufulupe"
// File:"<$FILE_EXE>","Rundll32.exe "pihuzura.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pihuzura.dll"

// AutoRun:"geminodagu","Rundll32.exe "hegobala.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\hegobala.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","geminodagu"
// File:"<$FILE_EXE>","Rundll32.exe "hegobala.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hegobala.dll"

// AutoRun:"Qdonuwuqe","rundll32.exe "C:\Users\Yash\AppData\Local\idmprolp.dll",Startup","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\idmprolp.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Qdonuwuqe"
// File:"<$FILE_EXE>","rundll32.exe "C:\Users\Yash\AppData\Local\idmprolp.dll",Startup"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\idmprolp.dll"

// AutoRun:"ljihfdsys","rundll32.exe "c:\users\thomas\appdata\local\temp\khgeff.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\temp\khgeff.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ljihfdsys"
// File:"<$FILE_EXE>","rundll32.exe "c:\users\thomas\appdata\local\temp\khgeff.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\temp\khgeff.dll"

// AutoRun:"Mnodiqi","rundll32.exe "C:\WINDOWS\amsctsp6.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\amsctsp6.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Mnodiqi"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\amsctsp6.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\amsctsp6.dll"

// AutoRun:"mvgxpruh","rundll32 "C:\Users\Kristina.Kristina-PC\AppData\Roaming\halmacpi5.dll",Mpgyeyic","flagifnofile=1"
AutoRun:"*","<$APPDATA>\Roaming\halmacpi5.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mvgxpruh"
// File:"<$FILE_EXE>","rundll32 "C:\Users\Kristina.Kristina-PC\AppData\Roaming\halmacpi5.dll",Mpgyeyic"
File:"<$FILE_LIBRARY>","<$APPDATA>\Roaming\halmacpi5.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","kcuyeh.dll"
File:"<$FILE_LIBRARY>","kcuyeh.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\komabagi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\komabagi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hazafupe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hazafupe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","tebudati.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tebudati.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nilimuvo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nilimuvo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\numuligi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\numuligi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","xnimsa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xnimsa.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","xmomhz.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xmomhz.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dot3msm32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dot3msm32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\DevicePairingProxy32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\DevicePairingProxy32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","powanere.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\powanere.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","hiwazedo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiwazedo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","puhepayo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\puhepayo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","subamiba.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\subamiba.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","pfhteltm","DllName=zwlxpga.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zwlxpga.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ljjkkkh","DllName=ljjkkkh.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ljjkkkh.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","khfdeby","DllName=khfdeby.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\khfdeby.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kjsfi8sjefiuoshiefyhiusdhfdf","kjsfi8sjefiuoshiefyhiusdhfdf={A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\g6m8g02.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kjsfi8sjefiuoshiefyhiusdhfdf","kjsfi8sjefiuoshiefyhiusdhfdf={A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ep8h80ikt.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kjsfi8sjefiuoshiefyhiusdhfdf","kjsfi8sjefiuoshiefyhiusdhfdf={A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\unkak6knvh.dll"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v106

Thread Tools

Display

New Malware v106

Posting Permissions