New Malware v84

**Matt** · 2010-03-13, 18:45

I've collected detection rules for the following Malware:

Malware.Fraud.Antivirus7
Malware.Lop
PUPS.MyWebSearch.WeatherBugToolbar
Trojan.Agent(2)
Trojan.Virtumonde(2)
Worm.IRCBot

Category: Trojan

Code:

:: New Malware v84
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-03-13}


// Malware.Fraud.Antivirus7:
// HKEY_CURRENT_USER\Software\EVA246
RegyKey:"<$REG_SETTINGS>",HKEY_LCURRENT_USER,"\Software\","EVA246"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-EVI 12.03.2010"
BrowserHelperEx:"%26UpdateCheck.dll","filename=UpdateExplorer.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{E2BFE352-A303-4EA8-88FE-CE35361D7E8B}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{E2BFE352-A303-4EA8-88FE-CE35361D7E8B}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\UpdateExplorer.dll"
// AutoRun:"AV7","C:\Program Files\AV7\antivirus7.exe","flagifnofile=1"
AutoRun:"AV7","<$PROGRAMFILES>\AV7\antivirus7.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","AV7"
// File:"<$FILE_EXE>","C:\Program Files\AV7\antivirus7.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\AV7\antivirus7.exe"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Antivirus7.lnk"
File:"<$FILE_LINK>","<$COMMONSTARTMENU>\AV7\Antivirus7.lnk"
File:"<$FILE_LINK>","<$COMMONSTARTMENU>\AV7\Uninstall.lnk"
File:"<$FILE_DATA>","<$WINDIR>\SoftwareDistribution\DataStore\Logs\tmp.edb"
Directory:"<$DIR_PROG>","<$COMMONSTARTMENU>\AV7"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\AV7"


// Malware.Lop:
// Jochens Liebling habe ich hier gefunden:  http://www.trojaner-board.de/83692-virenprobleme-und-keine-loesung.html
// Bitte aufnehmen, da Spybot es nicht erkennt!
// AutoRun:"roam slow curb balm","C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Bait cake roam slow\Mix Close.exe","flagifnofile=1"
AutoRun:"roam slow curb balm","<$COMMONAPPDATA>\Bait cake roam slow\Mix Close.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","roam slow curb balm"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Bait cake roam slow\Mix Close.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\Bait cake roam slow\Mix Close.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\Bait cake roam slow"
// AutoRun:"cdrom help","C:\DOKUME~1\SORAJA~1\ANWEND~1\LOGFRE~1\Funk Clock Ante.exe","flagifnofile=1"
AutoRun:"cdrom help","<$APPDATA>\LOGFRE*\Funk Clock Ante.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","cdrom help"
// File:"<$FILE_EXE>","C:\DOKUME~1\SORAJA~1\ANWEND~1\LOGFRE~1\Funk Clock Ante.exe"
File:"<$FILE_EXE>","<$APPDATA>\LOGFRE*\Funk Clock Ante.exe"
// Wieso kann man beim Ordnerbefehl keine Leerzeichen machen? Das ist ja blöd. Wusste mir nicht anders als mit einem Fragezeichen zu helfen.
Directory:"<$DIR_APPDATA>","<$APPDATA>\LOGFRE*","filename=Funk?Clock?Ante.exe"


// PUPS.MyWebSearch.WeatherBugToolbar:
BrowserHelperEx:"WeatherBug Browser Bar - powered by MyWebSearch","filename=W6BAR.DLL"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2}"


// Trojan.Agent(1):
AutoRun:"saihoi","<$PROFILE>\saihoi.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","saihoi"
File:"<$FILE_EXE>","<$PROFILE>\saihoi.exe"


// Trojan.Agent(2):
// Bitte aufnehmen; Name des Autostartes ist fest!
// AutoRun:"asg984jgkfmgasi8ug98jgkfgfb","C:\Users\owner\AppData\Local\Temp\drweb.exe","flagifnofile=1"
AutoRun:"asg984jgkfmgasi8ug98jgkfgfb","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","asg984jgkfmgasi8ug98jgkfgfb"
// AutoRun:"gdf498gtudsigjnsod8guifjgfhfhf","C:\Users\owner\AppData\Local\Temp\ejhw4hlc.exe","flagifnofile=1"
AutoRun:"gdf498gtudsigjnsod8guifjgfhfhf","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","gdf498gtudsigjnsod8guifjgfhfhf"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=sezibehe.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9567b540-9cc2-4c86-9d06-cf141bc80f1c}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9567b540-9cc2-4c86-9d06-cf141bc80f1c}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sezibehe.dll"

BrowserHelperEx:"*","filename=cnetcfg32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01F36772-3D8F-4BF9-91A3-A88BF4280CDe}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01F36772-3D8F-4BF9-91A3-A88BF4280CDe}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cnetcfg32.dll"

// AutoRun:"Xlazolonizoki","rundll32.exe "C:\WINDOWS\edukifas.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\edukifas.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Xlazolonizoki"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\edukifas.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\edukifas.dll"

// AutoRun:"fogiyevato","Rundll32.exe "yorokuzi.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\yorokuzi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fogiyevato"
// File:"<$FILE_EXE>","Rundll32.exe "yorokuzi.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yorokuzi.dll"

// AutoRun:"zuyalavaz","Rundll32.exe "c:\windows\system32\zijofege.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\zijofege.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","zuyalavaz"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\zijofege.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zijofege.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\lodikava.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lodikava.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","botenive.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\botenive.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","detezija.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\detezija.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zijofege.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zijofege.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","pmnligDu","DllName=pmnligDu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pmnligDu.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","qommnnl","DllName=qommnnl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qommnnl.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","2e7afcaf823","DllName=<$SYSDIR>\d3dpmesh32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3dpmesh32.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","begahasol","begahasol={3daca71b-1667-43fd-a2c0-7a3b11667993}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lodikava.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","suzetekur","suzetekur={c0a5efe0-32b7-4420-b5f7-c71ee2624bd6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zijofege.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={c0a5efe0-32b7-4420-b5f7-c71ee2624bd6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zijofege.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={3daca71b-1667-43fd-a2c0-7a3b11667993}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lodikava.dll"


// Trojan.Virtumonde(2):
// Aus einem Logfile von DDS:
File:"<$FILE_LIBRARY>","<$SYSDIR>\detezija.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hukuwozu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\larewabo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wenatune.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zijofege.dll"


// Worm.IRCBot:
// Name nach Sophos
// Siehe auch hier: http://www.systemlookup.com/O21/190-sysprinters_dll.html
// Oder auch hier: http://www.sophos.com/security/analyses/viruses-and-spyware/w32ircbotwv.html
// Die CLSID ist zufällig!
// RegyValue:"<description>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","system32","system32={66934E72-B2FC-423D-9537-D0B70802B732}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","system32","system32=*"
File:"<$FILE_LIBRARY>","<SYSDIR>\sysprinters.dll"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v84

Thread Tools

Display

New Malware v84

Posting Permissions