Code:
:: Virtumonde
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2009-05-02}
// Choose the BrowserHelperEx variant to flag the file as well, unless name is "(no name)".
//BrowserHelperEx:"(no name)","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2eda6cef-a401-421d-af32-a25059ef9624}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2eda6cef-a401-421d-af32-a25059ef9624}"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"2cc32117","<$SYSDIR>\bumokoju.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","2cc32117"
File:"<$FILE_EXE>","<$SYSDIR>\bumokoju.dll"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"CPM2ff0128b","<$SYSDIR>\mumonuwi.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM2ff0128b"
File:"<$FILE_EXE>","<$SYSDIR>\mumonuwi.dll"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"fahukupeke","<$SYSDIR>\visujowo.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fahukupeke"
File:"<$FILE_EXE>","<$SYSDIR>\visujowo.dll"
// Adjust parameters to remove only bad libraries!
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mumonuwi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\diyohobe.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\mumonuwi.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\diyohobe.dll"
//
RegyValue:"<description>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SSODL","SSODL={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mumonuwi.dll"
//
RegyValue:"<description>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","STS","STS={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mumonuwi.dll"
// Choose the BrowserHelperEx variant to flag the file as well, unless name is "(no name)".
//BrowserHelperEx:"(no name)","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{fe3a801d-ec23-48e1-ac7a-ba081d254ea9}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{fe3a801d-ec23-48e1-ac7a-ba081d254ea9}"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"kapopejizo","<$SYSDIR>\nevibuni.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kapopejizo"
File:"<$FILE_EXE>","<$SYSDIR>\nevibuni.dll"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"28dcd41b","<$SYSDIR>\wukoraga.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","28dcd41b"
File:"<$FILE_EXE>","<$SYSDIR>\wukoraga.dll"
// The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
AutoRun:"CPM2befe787","<$SYSDIR>\yogukezo.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM2befe787"
File:"<$FILE_EXE>","<$SYSDIR>\yogukezo.dll"
// Adjust parameters to remove only bad libraries!
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vitetija.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yogukezo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\daharubo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kemuboti.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\vitetija.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\yogukezo.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\daharubo.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\kemuboti.dll"
//
RegyValue:"<description>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SSODL","SSODL={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kemuboti.dll"