New Malware v90

**Matt** · 2010-03-23, 16:42

I've collected detection rules for the following Malware:

Rootkit.Zbot
Spyware.Spynet
Trojan.FakeAlert.ttam(2)
Trojan.Fraudpack(2)
Trojan.Rbot
Trojan.Virtumonde(2)

Category: Trojan

Code:

:: New Malware v90
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-03-23}


// Rootkit.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mssrkv32.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\mssrkv32.exe,"
NTFile:"<$FILE_EXE>","<$SYSDIR>\mssrkv32.exe"


// Spyware.Spynet:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","load=C:\WINDOWS\system32\qcroevcc\winlogon.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","<$SYSDIR>\qcroevcc\winlogon.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","run","run=C:\WINDOWS\system32\qcroevcc\winlogon.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","run","<$SYSDIR>\qcroevcc\winlogon.exe"
File:"<$FILE_EXE>","<$SYSDIR>\qcroevcc\winlogon.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\qcroevcc"


// Trojan.FakeAlert.ttam(1):
// AutoRun:"F.lux",""C:\Users\James\Local Settings\Apps\F.lux\flux.exe" /noshow","flagifnofile=1"
AutoRun:"F.lux","<$LOCALSETTINGS>\Apps\F.lux\flux.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","F.lux"
// File:"<$FILE_EXE>",""C:\Users\James\Local Settings\Apps\F.lux\flux.exe" /noshow"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Apps\F.lux\flux.exe"
Directory:"<$DIR_PROG>","<$LOCALSETTINGS>\Apps\F.lux"


// Trojan.FakeAlert.ttam(2):
// AutoRun:"winlogon","C:\Temp32\winlogon.exe","flagifnofile=1"
AutoRun:"winlogon","<$SYSDRIVE>\Temp32\winlogon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","winlogon"
// File:"<$FILE_EXE>","C:\Temp32\winlogon.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\Temp32\winlogon.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\Temp32","filename=winlogon.exe"
// AutoRun:"Updater","C:\System\Microsoft\System.exe","flagifnofile=1"
AutoRun:"Updater","<$SYSDRIVE>\System\Microsoft\System.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Updater"
// File:"<$FILE_EXE>","C:\System\Microsoft\System.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\System\Microsoft\System.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\System\Microsoft","filename=System.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\System"


// Trojan.Fraudpack(1):
// AutoRun:"YVIBBBHA8C","C:\Users\Till\AppData\Local\Temp\Hdx.exe","flagifnofile=1"
// AutoRun:"YVIBBBHA8C","c:\users\stevey\appdata\local\temp\Anp.exe","flagifnofile=1"
// AutoRun:"YVIBBBHA8C","C:\Users\Florian\AppData\Local\Temp\Hnl.exe","flagifnofile=1"
// AutoRun:"YVIBBBHA8C","C:\Users\Lars\AppData\Local\Temp\Hhx.exe","flagifnofile=1"
AutoRun:"YVIBBBHA8C","<$LOCALAPPDATA>\Temp\???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","YVIBBBHA8C"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\Hdx.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\temp\Anp.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\Hnl.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\Hhx.exe"


// Trojan.Fraudpack(2):
// AutoRun:"WEK9EMDHI9","C:\Windows\Hwolaa.exe","flagifnofile=1"
AutoRun:"WEK9EMDHI9","<$WINDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WEK9EMDHI9"
// File:"<$FILE_EXE>","C:\Windows\Hwolaa.exe"
File:"<$FILE_EXE>","<$WINDIR>\Hwolaa.exe"


// Trojan.Rbot:
// AutoRun:"Microsoft Update Manager","C:\Users\Adam\AppData\Roaming\lssas.exe","flagifnofile=1"
AutoRun:"Microsoft Update Manager","<$APPDATA>\Roaming\lssas.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Update Manager"
// File:"<$FILE_EXE>","C:\Users\Adam\AppData\Roaming\lssas.exe"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=dmscript32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{03D9C0B4-DAD3-411F-9DD4-EC13E0AEFBFe}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{03D9C0B4-DAD3-411F-9DD4-EC13E0AEFBFe}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmscript32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\es32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","4881f00e851","DllName=<$SYSDIR>\es32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\es32.dll"


// Trojan.Virtumonde(2):
File:"<$FILE_LIBRARY>","<$SYSDIR>\gudasene.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rurimita.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dukareyo.dll"
File:"<$FILE_EXE>","<$SYSDIR>\wewusigo.exe"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v90

Thread Tools

Display

New Malware v90

Posting Permissions