New Malware v81

**Matt** · 2010-03-09, 21:23

I've collected detection rules for the following Malware:

Adware.SkyMediaPack
Hijacker.FFHijacker.ttam
Malware.Fraud.CleanupAntivirus
Rootkit.Bredolab
Rootkit.Agent
Rootkit.TDSS
Spyware.AdRotator
Trojan.Autorun
Trojan.Clicker
Trojan.FakeAlert.ttam
Trojan.Rbot
Trojan.Sdbot
Trojan.Virtumonde(2)

Category: Trojan

Code:

:: New Malware v81
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-03-09}


// Adware.SkyMediaPack:
// http://www.skytoolbar.com/
// http://www.skymediapack.com/
// Siehe auch hier: http://www.systemlookup.com/CLSID/61417-MinBHO_dll.html
BrowserHelperEx:"ShowBarObj Class","filename=MinBHO.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2863E737-DD3F-4280-9AF8-E9E79C16F312}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2863E737-DD3F-4280-9AF8-E9E79C16F312}"
// Habe ich auch in einem Logfile von MBAM gefunden:
// HKEY_CLASSES_ROOT\minbho.showbarobj (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_CLASSES_ROOT\TypeLib\{27ba317e-7bbd-4ebe-a06a-47f076d9d6f7} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_CLASSES_ROOT\Interface\{2574231f-9d6f-4b0e-9041-5dd7484564ad} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_CLASSES_ROOT\CLSID\{2863e737-dd3f-4280-9af8-e9e79c16f312} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2863e737-dd3f-4280-9af8-e9e79c16f312} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_CLASSES_ROOT\minbho.showbarobj.1 (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_CLASSES_ROOT\TypeLib\{70ef8b2a-3a34-4913-aafc-5a2827e0b1b1} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_CLASSES_ROOT\Interface\{c91bcf48-598c-48bc-a4a7-192cefc9068a} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_CLASSES_ROOT\CLSID\{f334c7b0-8774-4d5b-bd7a-4f448d03a1ae} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f334c7b0-8774-4d5b-bd7a-4f448d03a1ae} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f334c7b0-8774-4d5b-bd7a-4f448d03a1ae}
// Siehe hier: http://www.systemlookup.com/CLSID/61489-KBBar_dll_update_dll.html
BrowserHelperEx:"KBBar","filename=KBBar.dll"
BrowserHelperEx:"KBBar","filename=update.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{f334c7b0-8774-4d5b-bd7a-4f448d03a1ae}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{f334c7b0-8774-4d5b-bd7a-4f448d03a1ae}"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\anti-viruses.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\archivators.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\auto credit.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\auto insurance.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\baccarat.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\bingo.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\body-building.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\casino.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\credit.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\free downloaders.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\general health.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\health and life.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\home.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\keno.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\men`s health.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\mp3 dvd players.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\pain relief.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\pets.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\poker.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\weight loss.txt"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words\women`s health.txt"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\about.png"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\aboutDlg.png"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\auto.png"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\bigbutton.png"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\gambling.png"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\gripper.png"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\insurance.png"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\pharmacy.png"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\search.png"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\settings.png"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\SkySearchToolbar.css"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin\software.png"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\locale\en-US\SkySearchToolbar.dtd"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\locale\en-US\toolbar.properties"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\locale\ru-RU\SkySearchToolbar.dtd"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\locale\ru-RU\toolbar.properties"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\content\about.xul"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\content\settings.js"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\content\SkySearchToolbar.js"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\content\SkySearchToolbar.xul"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\SkyMediaPack\SkyToolbar\MinBHO.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\skymediapack\skytoolbar\BrowserStartPage.dll"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\Config.dat"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\skymediapack\skytoolbar\KBBar.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\skymediapack\skytoolbar\ToolbarUpdate.exe"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\unins000.dat"
File:"<$FILE_EXE>","<$PROGRAMFILES>\skymediapack\skytoolbar\unins000.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\skymediapack\skytoolbar\update.dll"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome.manifest"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\install.rdf"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\locale\en-US"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\locale\ru-RU"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\skin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\words"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\content"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome\locale"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF\chrome"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\skymediapack\skytoolbar\FF"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\skymediapack\SkyToolbar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SkyMediaPack"


// Hijacker.FFHijacker.ttam:
// Alle aus einem einzigen Logfile von ComboFix
// Es tut mir Leid, aber ich habe keine Dateien für euch
// c:\program files\Mozilla Firefox\extensions\{016DF527-9AF7-4BC2-BD9E-34D05F7A1F70}
// c:\program files\Mozilla Firefox\extensions\{016DF527-9AF7-4BC2-BD9E-34D05F7A1F70}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{016DF527-9AF7-4BC2-BD9E-34D05F7A1F70}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{016DF527-9AF7-4BC2-BD9E-34D05F7A1F70}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{01C06508-0C57-4082-A738-6B2F9A5A59CD}
// c:\program files\Mozilla Firefox\extensions\{01C06508-0C57-4082-A738-6B2F9A5A59CD}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{01C06508-0C57-4082-A738-6B2F9A5A59CD}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{01C06508-0C57-4082-A738-6B2F9A5A59CD}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{02FF4F54-FD1C-44B1-84E3-603B1AE8DC72}
// c:\program files\Mozilla Firefox\extensions\{02FF4F54-FD1C-44B1-84E3-603B1AE8DC72}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{02FF4F54-FD1C-44B1-84E3-603B1AE8DC72}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{02FF4F54-FD1C-44B1-84E3-603B1AE8DC72}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{0317A91C-C779-4581-83B9-AAD99BA50BA9}
// c:\program files\Mozilla Firefox\extensions\{0317A91C-C779-4581-83B9-AAD99BA50BA9}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{0317A91C-C779-4581-83B9-AAD99BA50BA9}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{0317A91C-C779-4581-83B9-AAD99BA50BA9}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{0E4C258E-281E-4520-B75D-263F2967BA55}
// c:\program files\Mozilla Firefox\extensions\{0E4C258E-281E-4520-B75D-263F2967BA55}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{0E4C258E-281E-4520-B75D-263F2967BA55}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{0E4C258E-281E-4520-B75D-263F2967BA55}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{0EAF2F58-4C1E-4A1E-8DD2-8B76F49B1CF6}
// c:\program files\Mozilla Firefox\extensions\{0EAF2F58-4C1E-4A1E-8DD2-8B76F49B1CF6}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{0EAF2F58-4C1E-4A1E-8DD2-8B76F49B1CF6}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{0EAF2F58-4C1E-4A1E-8DD2-8B76F49B1CF6}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{1699CADF-FD0A-4E01-B400-8B9F8799A35A}
// c:\program files\Mozilla Firefox\extensions\{1699CADF-FD0A-4E01-B400-8B9F8799A35A}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{1699CADF-FD0A-4E01-B400-8B9F8799A35A}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{1699CADF-FD0A-4E01-B400-8B9F8799A35A}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{199741E1-C634-43E8-AA10-F13C1C982335}
// c:\program files\Mozilla Firefox\extensions\{199741E1-C634-43E8-AA10-F13C1C982335}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{199741E1-C634-43E8-AA10-F13C1C982335}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{199741E1-C634-43E8-AA10-F13C1C982335}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{2616CA37-8B21-47E1-AA81-BB2F902A4892}
// c:\program files\Mozilla Firefox\extensions\{2616CA37-8B21-47E1-AA81-BB2F902A4892}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{2616CA37-8B21-47E1-AA81-BB2F902A4892}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{2616CA37-8B21-47E1-AA81-BB2F902A4892}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{442AC648-BF2F-49F6-9AC4-B0DBC63D01D8}
// c:\program files\Mozilla Firefox\extensions\{442AC648-BF2F-49F6-9AC4-B0DBC63D01D8}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{442AC648-BF2F-49F6-9AC4-B0DBC63D01D8}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{442AC648-BF2F-49F6-9AC4-B0DBC63D01D8}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{4530B6AC-E069-4F99-8611-6121446C7AEE}
// c:\program files\Mozilla Firefox\extensions\{4530B6AC-E069-4F99-8611-6121446C7AEE}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{4530B6AC-E069-4F99-8611-6121446C7AEE}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{4530B6AC-E069-4F99-8611-6121446C7AEE}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{492939E7-9203-4D7B-9B75-757CF91EED05}
// c:\program files\Mozilla Firefox\extensions\{492939E7-9203-4D7B-9B75-757CF91EED05}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{492939E7-9203-4D7B-9B75-757CF91EED05}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{492939E7-9203-4D7B-9B75-757CF91EED05}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{617F406A-8430-4AB3-94A6-6F5EBC5EB7C3}
// c:\program files\Mozilla Firefox\extensions\{617F406A-8430-4AB3-94A6-6F5EBC5EB7C3}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{617F406A-8430-4AB3-94A6-6F5EBC5EB7C3}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{617F406A-8430-4AB3-94A6-6F5EBC5EB7C3}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{61E9AA48-00AE-4808-A5F9-B72ED13AE6FE}
// c:\program files\Mozilla Firefox\extensions\{61E9AA48-00AE-4808-A5F9-B72ED13AE6FE}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{61E9AA48-00AE-4808-A5F9-B72ED13AE6FE}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{61E9AA48-00AE-4808-A5F9-B72ED13AE6FE}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{6542FD09-F5BE-4FFE-8C76-B4FB34BC9FA6}
// c:\program files\Mozilla Firefox\extensions\{6542FD09-F5BE-4FFE-8C76-B4FB34BC9FA6}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{6542FD09-F5BE-4FFE-8C76-B4FB34BC9FA6}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{6542FD09-F5BE-4FFE-8C76-B4FB34BC9FA6}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{709B382F-0B93-48D4-BAE9-5CCA5170DCC2}
// c:\program files\Mozilla Firefox\extensions\{709B382F-0B93-48D4-BAE9-5CCA5170DCC2}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{709B382F-0B93-48D4-BAE9-5CCA5170DCC2}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{709B382F-0B93-48D4-BAE9-5CCA5170DCC2}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{722A931A-C51F-4DC3-AE99-456CA2051925}
// c:\program files\Mozilla Firefox\extensions\{722A931A-C51F-4DC3-AE99-456CA2051925}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{722A931A-C51F-4DC3-AE99-456CA2051925}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{722A931A-C51F-4DC3-AE99-456CA2051925}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{74DC7346-30E0-4832-82AF-49FDD7F5AA07}
// c:\program files\Mozilla Firefox\extensions\{74DC7346-30E0-4832-82AF-49FDD7F5AA07}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{74DC7346-30E0-4832-82AF-49FDD7F5AA07}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{74DC7346-30E0-4832-82AF-49FDD7F5AA07}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{873772F7-2E43-47C1-85E4-139A43F84170}
// c:\program files\Mozilla Firefox\extensions\{873772F7-2E43-47C1-85E4-139A43F84170}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{873772F7-2E43-47C1-85E4-139A43F84170}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{873772F7-2E43-47C1-85E4-139A43F84170}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{87C40D07-D704-470C-9748-F103DD18BEA5}
// c:\program files\Mozilla Firefox\extensions\{87C40D07-D704-470C-9748-F103DD18BEA5}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{87C40D07-D704-470C-9748-F103DD18BEA5}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{87C40D07-D704-470C-9748-F103DD18BEA5}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{8972C2BA-2D6E-4541-AFE6-F930DC9F7175}
// c:\program files\Mozilla Firefox\extensions\{8972C2BA-2D6E-4541-AFE6-F930DC9F7175}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{8972C2BA-2D6E-4541-AFE6-F930DC9F7175}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{8972C2BA-2D6E-4541-AFE6-F930DC9F7175}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{8B7CCFFE-86CA-456D-ABA9-5FF094F56C17}
// c:\program files\Mozilla Firefox\extensions\{8B7CCFFE-86CA-456D-ABA9-5FF094F56C17}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{8B7CCFFE-86CA-456D-ABA9-5FF094F56C17}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{8B7CCFFE-86CA-456D-ABA9-5FF094F56C17}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{920BA538-E00D-439E-B8D6-EBB288B9606F}
// c:\program files\Mozilla Firefox\extensions\{920BA538-E00D-439E-B8D6-EBB288B9606F}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{920BA538-E00D-439E-B8D6-EBB288B9606F}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{920BA538-E00D-439E-B8D6-EBB288B9606F}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{9538F178-3B16-466C-B1EF-777E63103B41}
// c:\program files\Mozilla Firefox\extensions\{9538F178-3B16-466C-B1EF-777E63103B41}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{9538F178-3B16-466C-B1EF-777E63103B41}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{9538F178-3B16-466C-B1EF-777E63103B41}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{9645AE60-A3F1-438A-9B0D-0F76F66C9511}
// c:\program files\Mozilla Firefox\extensions\{9645AE60-A3F1-438A-9B0D-0F76F66C9511}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{9645AE60-A3F1-438A-9B0D-0F76F66C9511}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{9645AE60-A3F1-438A-9B0D-0F76F66C9511}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{964BFDA6-8FCA-44B7-9DF7-BD6757FFF558}
// c:\program files\Mozilla Firefox\extensions\{964BFDA6-8FCA-44B7-9DF7-BD6757FFF558}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{964BFDA6-8FCA-44B7-9DF7-BD6757FFF558}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{964BFDA6-8FCA-44B7-9DF7-BD6757FFF558}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{99E483E4-AD71-4743-9F7F-9AFD206A4862}
// c:\program files\Mozilla Firefox\extensions\{99E483E4-AD71-4743-9F7F-9AFD206A4862}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{99E483E4-AD71-4743-9F7F-9AFD206A4862}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{99E483E4-AD71-4743-9F7F-9AFD206A4862}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{9A44BA76-7229-4EF4-8278-ADBD4FFEB8B2}
// c:\program files\Mozilla Firefox\extensions\{9A44BA76-7229-4EF4-8278-ADBD4FFEB8B2}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{9A44BA76-7229-4EF4-8278-ADBD4FFEB8B2}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{9A44BA76-7229-4EF4-8278-ADBD4FFEB8B2}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{9CB5361A-982E-40C2-B062-01C14B4A614D}
// c:\program files\Mozilla Firefox\extensions\{9CB5361A-982E-40C2-B062-01C14B4A614D}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{9CB5361A-982E-40C2-B062-01C14B4A614D}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{9CB5361A-982E-40C2-B062-01C14B4A614D}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{A372AF5B-DB78-4E14-B880-24930934415A}
// c:\program files\Mozilla Firefox\extensions\{A372AF5B-DB78-4E14-B880-24930934415A}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{A372AF5B-DB78-4E14-B880-24930934415A}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{A372AF5B-DB78-4E14-B880-24930934415A}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{A4877708-C36F-417B-A7DF-6DE65211C3CB}
// c:\program files\Mozilla Firefox\extensions\{A4877708-C36F-417B-A7DF-6DE65211C3CB}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{A4877708-C36F-417B-A7DF-6DE65211C3CB}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{A4877708-C36F-417B-A7DF-6DE65211C3CB}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{A61B8474-456C-4D55-A36A-FBB03B23A3B3}
// c:\program files\Mozilla Firefox\extensions\{A61B8474-456C-4D55-A36A-FBB03B23A3B3}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{A61B8474-456C-4D55-A36A-FBB03B23A3B3}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{A61B8474-456C-4D55-A36A-FBB03B23A3B3}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{B6FF86AF-1A35-4252-967A-DDE1F5B2E368}
// c:\program files\Mozilla Firefox\extensions\{B6FF86AF-1A35-4252-967A-DDE1F5B2E368}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{B6FF86AF-1A35-4252-967A-DDE1F5B2E368}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{B6FF86AF-1A35-4252-967A-DDE1F5B2E368}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{B89501EF-C474-4290-A994-334057467790}
// c:\program files\Mozilla Firefox\extensions\{B89501EF-C474-4290-A994-334057467790}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{B89501EF-C474-4290-A994-334057467790}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{B89501EF-C474-4290-A994-334057467790}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{BCD115C6-8493-4802-80A4-1A902E50A63B}
// c:\program files\Mozilla Firefox\extensions\{BCD115C6-8493-4802-80A4-1A902E50A63B}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{BCD115C6-8493-4802-80A4-1A902E50A63B}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{BCD115C6-8493-4802-80A4-1A902E50A63B}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{C579F7C3-2288-4432-9AB7-C319BEB20EA9}
// c:\program files\Mozilla Firefox\extensions\{C579F7C3-2288-4432-9AB7-C319BEB20EA9}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{C579F7C3-2288-4432-9AB7-C319BEB20EA9}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{C579F7C3-2288-4432-9AB7-C319BEB20EA9}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{C7323893-177D-4BA2-8726-A4B9A8DBF535}
// c:\program files\Mozilla Firefox\extensions\{C7323893-177D-4BA2-8726-A4B9A8DBF535}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{C7323893-177D-4BA2-8726-A4B9A8DBF535}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{C7323893-177D-4BA2-8726-A4B9A8DBF535}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{CBCCEB08-9904-4D8C-9E70-AEB75453EDDA}
// c:\program files\Mozilla Firefox\extensions\{CBCCEB08-9904-4D8C-9E70-AEB75453EDDA}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{CBCCEB08-9904-4D8C-9E70-AEB75453EDDA}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{CBCCEB08-9904-4D8C-9E70-AEB75453EDDA}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{CDCB005E-4729-4BCC-8DFF-2C12C6FB8CE6}
// c:\program files\Mozilla Firefox\extensions\{CDCB005E-4729-4BCC-8DFF-2C12C6FB8CE6}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{CDCB005E-4729-4BCC-8DFF-2C12C6FB8CE6}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{CDCB005E-4729-4BCC-8DFF-2C12C6FB8CE6}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{DC993398-01C8-464D-AF8D-47CDE7DDEE11}
// c:\program files\Mozilla Firefox\extensions\{DC993398-01C8-464D-AF8D-47CDE7DDEE11}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{DC993398-01C8-464D-AF8D-47CDE7DDEE11}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{DC993398-01C8-464D-AF8D-47CDE7DDEE11}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{E3D3C967-77CF-4857-A104-0C5168045EC8}
// c:\program files\Mozilla Firefox\extensions\{E3D3C967-77CF-4857-A104-0C5168045EC8}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{E3D3C967-77CF-4857-A104-0C5168045EC8}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{E3D3C967-77CF-4857-A104-0C5168045EC8}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{E8FC9FCE-B152-481B-816C-794628625FEC}
// c:\program files\Mozilla Firefox\extensions\{E8FC9FCE-B152-481B-816C-794628625FEC}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{E8FC9FCE-B152-481B-816C-794628625FEC}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{E8FC9FCE-B152-481B-816C-794628625FEC}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{EEFC096A-6E90-48A7-A322-2ABBB47FF89C}
// c:\program files\Mozilla Firefox\extensions\{EEFC096A-6E90-48A7-A322-2ABBB47FF89C}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{EEFC096A-6E90-48A7-A322-2ABBB47FF89C}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{EEFC096A-6E90-48A7-A322-2ABBB47FF89C}\install.rdf
// c:\program files\Mozilla Firefox\extensions\{F0A004A0-BF6F-44BD-9979-5935A9F954BE}
// c:\program files\Mozilla Firefox\extensions\{F0A004A0-BF6F-44BD-9979-5935A9F954BE}\chrome.manifest
// c:\program files\Mozilla Firefox\extensions\{F0A004A0-BF6F-44BD-9979-5935A9F954BE}\chrome\content\overlay.xul
// c:\program files\Mozilla Firefox\extensions\{F0A004A0-BF6F-44BD-9979-5935A9F954BE}\install.rdf


// Malware.Fraud.CleanupAntivirus:
// HKEY_CURRENT_USER\Software\CleanUp Antivirus
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","CleanUp Antivirus"
AutoRun:"CleanUp Antivirus","<$COMMONAPPDATA>\*\*.exe","flagifnofile=1"
File:"<$FILE_LINK>","<$QUICKLAUNCH>\CleanUp Antivirus.lnk"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\CleanUp Antivirus.lnk"
File:"<$FILE_LINK>","<$STARTMENU>\CleanUp Antivirus.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\CleanUp Antivirus.lnk"
Directory:"<$DIR_APPDATA>","<$APPDATA>\CleanUp Antivirus\cookies.sqlite"
Directory:"<$DIR_APPDATA>","<$APPDATA>\CleanUp Antivirus"


// Rootkit.Bredolab:
// Siehe auch hier: http://www.systemlookup.com/Startup/21806-winesm32_exe.html
// O4 - Startup: winesm32.exe
NTFile:"<$FILE_EXE>","<$STARTUP>\winesm32.exe"


// Rootkit.Agent:
// Siehe #80
// Aus einem Logfile von ComboFix
// -------\Legacy_SEAGATE
// -------\Service_seagate
// c:\windows\system32\seagate.sys


// Rootkit.TDSS:
// Aus einem Logfile von ComboFix
// c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll
// c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll
// c:\windows\system32\_VOIDmeofxjwlms.dll
// c:\windows\system32\_VOIDpyyyhlyrqj.dll
// c:\windows\system32\_VOIDqhhjgkvymp.dat
// c:\windows\system32\_VOIDqmnmpkkisk.dll
// -------\Service__VOIDd.sys
// -------\Legacy__VOIDd.sys
// -------\Service__VOIDuiqoufjpyf
// -------\Legacy__VOIDuiqoufjpyf


// Spyware.AdRotator:
// Siehe auch hier: http://www.systemlookup.com/Startup/11491-sprt_ads_dll.html
BrowserHelperEx:"superiorads","filename=*.dll"
BrowserHelperEx:"superiorads browser optimizer","filename=*.dll"
BrowserHelperEx:"browser optimizer superiorads","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{43FC67B6-4C25-4afd-AE7A-9EF3E4587026}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{43FC67B6-4C25-4afd-AE7A-9EF3E4587026}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{79F562E5-768C-4494-8E6C-824ADA4A9C2C}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{79F562E5-768C-4494-8E6C-824ADA4A9C2C}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4AD44D3E-7316-4251-B754-9B10EC96AF92}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4AD44D3E-7316-4251-B754-9B10EC96AF92}"
// Dateiname fest:
// AutoRun:"spa_start","C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\sprt_ads.dll" DllStart","flagifnofile=1"
AutoRun:"spa_start","<$SYSDIR>\sprt_ads.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","spa_start"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\sprt_ads.dll" DllStart"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sprt_ads.dll"


// Trojan.Autorun:
// Findet sich auch unter WINDIR
// AutoRun:"Firewall Administrating","C:\Users\Public\infocard.exe","flagifnofile=1"
AutoRun:"Firewall Administrating","<$PROFILE>\infocard.exe","flagifnofile=1"
AutoRun:"Firewall Administrating","<$WINDIR>\infocard.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Firewall Administrating"
// File:"<$FILE_EXE>","C:\Users\Public\infocard.exe"


// Trojan.Clicker:
// Name nach Kaspersky
// Siehe auch hier: http://www.systemlookup.com/CLSID/61603-shtml_dll.html
BrowserHelperEx:"html class","filename=shtml.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{FFFFEECE-FFF8-8222-2FB0-2935B9090508}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{FFFFEECE-FFF8-8222-2FB0-2935B9090508}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\2052\shtml.dll"


// Trojan.FakeAlert.ttam:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","KNaFTHIZPB","KNaFTHIZPB={CE955D30-643F-F79A-EB60-D160B0E0B16A}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gghx.dll"


// Trojan.Rbot:
// Siehe auch hier: http://www.systemlookup.com/search.php?list=%26type=name%26search=Microsoft Update Machine%26s=
// AutoRun:"Microsoft Update Machine","<$SYSDIR>\temporary_51518.exe","flagifnofile=1"
AutoRun:"Microsoft Update Machine","<$SYSDIR>\temporary_*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Update Machine"
File:"<$FILE_EXE>","<$SYSDIR>\temporary_51518.exe"


// Trojan.Sdbot:
// Siehe hier: http://www.systemlookup.com/search.php?list=%26type=filename%26search=winsvc.exe%26s=
AutoRun:"Windows Critical Host Protocol","<$SYSDIR>\winsvc.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Critical Host Protocol"
File:"<$FILE_EXE>","<$SYSDIR>\winsvc.exe"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=lvrygn.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{f3ffe105-d023-47f8-a127-88c0416b5d79}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{f3ffe105-d023-47f8-a127-88c0416b5d79}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lvrygn.dll"

// AutoRun:"efdcdedrv","rundll32.exe "byvwwt.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\byvwwt.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","efdcdedrv"
// File:"<$FILE_EXE>","rundll32.exe "byvwwt.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\byvwwt.dll"

// AutoRun:"Ovosibumerujomu","rundll32.exe "C:\WINDOWS\edogiqet.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\edogiqet.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Ovosibumerujomu"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\edogiqet.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\edogiqet.dll"

// AutoRun:"Xmasepe","rundll32.exe "C:\WINDOWS\uquvabup.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\uquvabup.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Xmasepe"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\uquvabup.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\uquvabup.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","zefirena.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zefirena.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","siduzeji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\siduzeji.dll"


// Trojan.Virtumonde(2):
File:"<$FILE_LIBRARY>","<$SYSDIR>\geminuno.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\\hupamuda.dll"
File:"<$FILE_EXE>","<$SYSDIR>\kotakowe.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pojipore.dll"
File:"<$FILE_EXE>","<$SYSDIR>\hesahubu.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ketafopo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zoluvuwo.dll"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v81

Thread Tools

Display

New Malware v81

Posting Permissions