New Malware v18

**Matt** · 2009-07-23, 23:45

I've collected detection rules for the following Malware:

Adware.DoubleD
Adware.FastBrowserSearch
Malware.Smitfraud
Rogue.Wareout
Suspicious(2)
Trojan.TDSS.Rootkit
Trojan.Virtumonde

Category: Trojan

Code:

:: New Malware v18
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-07-23}

// Adware.DoubleD:
BrowserHelperEx:"GamingHarbor Toolbar",
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{5617ECA9-488D-4BA2-8562-9710B9AB78D2}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5617ECA9-488D-4BA2-8562-9710B9AB78D2}"
//Es ist zu überlegen, ob anstatt dieser Version Fragezeichen oder Sternchen verwendet werden sollten.
//File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\DoubleD\GamingHarbor Toolbar\4.1.4.20920\stb0.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\DoubleD\GamingHarbor Toolbar\4.1.4.20920\stb?.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\DoubleD\GamingHarbor Toolbar\4.1.4.20920\stbapp.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\DoubleD\GamingHarbor Toolbar\4.1.4.20920\stbappHelper.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\DoubleD\GamingHarbor Toolbar\4.1.4.20920\stbsvc.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\DoubleD\GamingHarbor Toolbar\4.1.4.20920"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\DoubleD\GamingHarbor Toolbar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\DoubleD"

// Adware.FastBrowserSearch:
BrowserHelperEx:"TBSB07183",
BrowserHelperEx:"Fast Browser Search",
BrowserHelperEx:"Fast Browser Search Toolbar Helper",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{FCBCCB87-9224-4B8D-B117-F56D924BEB18}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{FCBCCB87-9224-4B8D-B117-F56D924BEB18}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6C621F09-DFF3-415A-B7D1-142678EFEB34}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6C621F09-DFF3-415A-B7D1-142678EFEB34}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{1BB22D38-A411-4B13-A746-C2A4F4EC7344}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{1BB22D38-A411-4B13-A746-C2A4F4EC7344}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F0626A63-410B-45E2-99A1-3F2475B2D695}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F0626A63-410B-45E2-99A1-3F2475B2D695}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Fast Browser Search\IE\FBStoolbar.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Fast Browser Search\IE\BHO.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\SGPSA\FBStoolbar.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\SGPSA\BHO.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Fast Browser Search\IE"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Fast Browser Search"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SGPSA"

// Malware.Smitfraud:
// hab ich nur deshalb nochmal aufgenommen, weil der User sagte, dass von aktuellem Spybot nichts gefunden wurde; bitte um Kontrolle
AutoRun:"A00F287A0F.exe","<$LOCALSETTINGS>\Temp\_A00F287A0F.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","A00F287A0F.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\_A00F287A0F.exe"

// Rogue.Wareout:
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{F66A572F-C174-5EF6-089E-DDD0B41A51B6}"

// Suspicious(1):
//Einträge gibts... :-)
AutoRun:"GEST","m‘|\ü","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","GEST"
//File:"<$FILE_EXE>","m‘|\ü"

// Suspicious(2):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AntipPro2009_12","ImagePath=<$WINDIR>\svchast.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AntipPro2009_12","DisplayName=AntipyPro_12"
File:"<$FILE_EXE>","<$WINDIR>\svchast.exe"

// Trojan.TDSS.Rootkit:
//globalroot\systemroot\system32\hjgruilxoqvnis.dll
//c:\windows\system32\drivers\hjgruiduwrxrns.sys
//c:\windows\system32\hjgruicusuvmif.dat
//c:\windows\system32\hjgruiektvoddw.dll
//c:\windows\system32\hjgruilxoqvnis.dll
//c:\windows\system32\hjgruiodhayksr.dat

// Trojan.Virtumonde:
//RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ec6ca0fa648","DllName=C:\WINDOWS\"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ec6ca0fa648"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","68d0fca0579","DllName=<$SYSDIR>\dnssd32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0018211","DllName=<$SYSDIR>\__c0018211.dat"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dnssd32.dll"
File:"<$FILE_DATA>","<$SYSDIR>\__c0018211.dat"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dnssd32.dll"

Downloads: 0	Rating: 10 (rated by 2 users)

Thread: New Malware v18

Thread Tools

Display

New Malware v18

Posting Permissions