New Malware v96

**Matt** · 2010-04-05, 00:57

I've collected detection rules for the following Malware:

Adware.Ecobar
Rootkit.Zbot
Spyware.AdRotator
Spyware.Spynet(2)
Trojan.Agent(4)
Trojan.Autorun
Trojan.FakeAlert.ttam
Trojan.Fraudpack(2)
Trojan.Virtumonde

Category: Trojan

Code:

:: New Malware v96
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-03}


// Adware.Ecobar:
// Bestätigt hier: http://www.systemlookup.com/CLSID/66381-ecobar_dll.html
BrowserHelperEx:"TBSB07286","filename=ecobar.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C23D0D6A-8CBA-4B33-9735-47D81F5B2B85}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C23D0D6A-8CBA-4B33-9735-47D81F5B2B85}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\ecobar\ecobar.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\ecobar"


// Rootkit.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","userinit","userinit=c:\windows\system32\userinit.exe,c:\windows\system32\mshhyx32.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","userinit","<$SYSDIR>\mshhyx32.exe,"
NTFile:"<$FILE_EXE>","<$SYSDIR>\mshhyx32.exe"


// Spyware.AdRotator:
BrowserHelperEx:"everyflv","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{974b67ce-4e61-69f4-7f1f-4a28dc1948c3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{974b67ce-4e61-69f4-7f1f-4a28dc1948c3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\BF0J5mY72qLKj.dll"


// Spyware.Spynet(1):
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\svchost\svchost.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\svchost\svchost.exe
AutoRun:"Policies","<$SYSDIR>\svchost\svchost.exe","flagifnofile=1"
// AutoRun:"HKLM","C:\WINDOWS\system32\svchost\svchost.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\svchost\svchost.exe","flagifnofile=1"
// AutoRun:"HKCU","C:\WINDOWS\system32\svchost\svchost.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\svchost\svchost.exe","flagifnofile=1"
File:"<$FILE_EXE>","<$SYSDIR>\svchost\svchost.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\svchost"


// Spyware.Spynet(2):
// AutoRun:"HKLM","c:\windows\system32\explorer\winlogon.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\explorer\winlogon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
// File:"<$FILE_EXE>","c:\windows\system32\explorer\winlogon.exe"
File:"<$FILE_EXE>","<$SYSDIR>\explorer\winlogon.exe"
// AutoRun:"HKCU","c:\windows\system32\explorer\csrss.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\explorer\csrss.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
// File:"<$FILE_EXE>","c:\windows\system32\explorer\csrss.exe"
File:"<$FILE_EXE>","<$SYSDIR>\explorer\csrss.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\explorer"


// Trojan.Agent(1):
// AutoRun:"Updater","C:\WINDOWS\system32\updater\explorer.exe","flagifnofile=1"
AutoRun:"Updater","<$SYSDIR>\updater\explorer.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Updater"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\updater\explorer.exe"
File:"<$FILE_EXE>","<$SYSDIR>\updater\explorer.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\updater","filename=explorer.exe"


// Trojan.Agent(2):
// AutoRun:"MSUpdate","C:\WINDOWS\system32\MSup1.exe","flagifnofile=1"
AutoRun:"MSUpdate","<$SYSDIR>\MSup?.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSUpdate"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\MSup1.exe"
File:"<$FILE_EXE>","<$SYSDIR>\MSup1.exe"


// Trojan.Agent(3):
// AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","C:\Users\Max\AppData\Local\Temp\winlogon.exe","flagifnofile=1"
AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf87efjhdsf87f3jfsdi7fhsujfd"
// File:"<$FILE_EXE>","C:\Users\Max\AppData\Local\Temp\winlogon.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\winlogon.exe"


// Trojan.Agent(4):
// So ein Autostart gehört nicht zu Microsoft ;-)
// Siehe hier: http://www.systemlookup.com/Startup/20190-mstalk_dll.html
// AutoRun:"Run","regsvr32.exe /s "C:\Users\Peter\AppData\Roaming\sp1\mstalk.dll"","flagifnofile=1"
AutoRun:"Run","<$APPDATA>\Roaming\sp1\mstalk.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Run"
// File:"<$FILE_EXE>","regsvr32.exe /s "C:\Users\Peter\AppData\Roaming\sp1\mstalk.dll""
File:"<$FILE_LIBRARY>","<$APPDATA>\Roaming\sp1\mstalk.dll"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Roaming\sp1","filename=mstalk.dll"


// Trojan.Autorun:
// Siehe auch hier: http://www.systemlookup.com/Startup/20229-winxp_exe.html
AutoRun:"regdiit","<$SYSDIR>\winxp.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","regdiit"
File:"<$FILE_EXE>","<$SYSDIR>\winxp.exe"


// Trojan.FakeAlert.ttam:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe syce.xto nqxwp"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","syce.xto *"
File:"<$FILE_DATA>","<$SYSDIR>\syce.xto"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe rxup.rko jrgsvde"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","rxup.rko *"
File:"<$FILE_DATA>","<$SYSDIR>\rxup.rko"


// Trojan.Fraudpack(1):
// AutoRun:"YVIBBBHA8C","C:\DOKUME~1\Nuri2\LOKALE~1\Temp\Hgx.exe","flagifnofile=1"
AutoRun:"YVIBBBHA8C","<$LOCALSETTINGS>\Temp\???.exe","flagifnofile=1"
// AutoRun:"YVIBBBHA8C","c:\windows\temp\Rgd.exe","flagifnofile=1"
AutoRun:"YVIBBBHA8C","<$WINDIR>\temp\???.exe","flagifnofile=1"
// AutoRun:"YVIBBBHA8C","C:\Users\Max\AppData\Local\Temp\Xt1.exe","flagifnofile=1"
AutoRun:"YVIBBBHA8C","<$LOCALAPPDATA>\Temp\???.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","YVIBBBHA8C"


// Trojan.Fraudpack(2):
// AutoRun:"MailBlocker","C:\Users\Windows 7\AppData\Local\Temp\c.exe","flagifnofile=1"
AutoRun:"MailBlocker","<$LOCALAPPDATA>\Temp\?.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MailBlocker"
// File:"<$FILE_EXE>","C:\Users\Windows 7\AppData\Local\Temp\c.exe"


// Trojan.Virtumonde:
BrowserHelperEx:"*","filename=tofanuwo.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{31bdbd0d-81f8-4db6-8c74-11d8ac8e5e51}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{31bdbd0d-81f8-4db6-8c74-11d8ac8e5e51}"
File:"<$FILE_DATA>","<$SYSDIR>\tofanuwo.dll"

BrowserHelperEx:"*","filename=epgrrere.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0598769c-cbcc-43a1-9d0c-2cb771c6be7b}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0598769c-cbcc-43a1-9d0c-2cb771c6be7b}"
File:"<$FILE_DATA>","<$SYSDIR>\epgrrere.dll"

BrowserHelperEx:"*","filename=sqewyex.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{3ac854ed-040a-4d2b-afcc-74c1122bc22e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{3ac854ed-040a-4d2b-afcc-74c1122bc22e}"
File:"<$FILE_DATA>","<$SYSDIR>\sqewyex.dll"

BrowserHelperEx:"*","filename=sehikija.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a6751a73-d36f-44a1-902a-54aef8e9e4a4}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a6751a73-d36f-44a1-902a-54aef8e9e4a4}"
File:"<$FILE_DATA>","<$SYSDIR>\sehikija.dll"

BrowserHelperEx:"*","filename=wefofole.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{20091701-1cf7-4cdd-b9bc-18e6637fc0b7}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{20091701-1cf7-4cdd-b9bc-18e6637fc0b7}"
File:"<$FILE_DATA>","<$SYSDIR>\wefofole.dll"

BrowserHelperEx:"*","filename=y7zabk.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_DATA>","<$SYSDIR>\y7zabk.dll"

BrowserHelperEx:"*","filename=pitajayi.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{b73f9ef4-00cf-4775-be09-33a047b2105f}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{b73f9ef4-00cf-4775-be09-33a047b2105f}"
File:"<$FILE_DATA>","<$SYSDIR>\pitajayi.dll"

// Die Datei "comuid32.dll" beanspruchte gleich 16 O2 Einträge! :-D  (siehe Log Datei):
BrowserHelperEx:"*","filename=comuid32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00078b65-6239-40b0-b4c1-5652187efe07}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00078b65-6239-40b0-b4c1-5652187efe07}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{000dfa66-93c0-4e10-b00c-85a34d20c05e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{000dfa66-93c0-4e10-b00c-85a34d20c05e}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{001a4ea4-165c-46dc-8f6e-7117ebf1ab1a}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{001a4ea4-165c-46dc-8f6e-7117ebf1ab1a}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{001c4a61-652d-4e21-b2df-428ece92a2e7}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{001c4a61-652d-4e21-b2df-428ece92a2e7}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{001fc3e9-66b3-4678-9a79-ee86530afc09}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{001fc3e9-66b3-4678-9a79-ee86530afc09}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0025222e-00bb-4e1f-b984-c0251296279c}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0025222e-00bb-4e1f-b984-c0251296279c}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00255385-62f3-4e3a-a5fa-278c1b3070ab}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00255385-62f3-4e3a-a5fa-278c1b3070ab}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0026f19b-2aed-4fe3-aabb-73ad0ff0c9aa}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0026f19b-2aed-4fe3-aabb-73ad0ff0c9aa}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{002c26ef-ddcc-437e-abcd-66ec63028746}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{002c26ef-ddcc-437e-abcd-66ec63028746}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00421420-756c-4bec-8966-d0a09a148a15}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00421420-756c-4bec-8966-d0a09a148a15}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0043651e-0829-442f-b7c9-7293560267f6}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0043651e-0829-442f-b7c9-7293560267f6}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{006fbf3a-1f5e-4f98-899a-131602fc435e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{006fbf3a-1f5e-4f98-899a-131602fc435e}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00b6bb49-62d5-48a8-a241-ee8a9bd02653}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00b6bb49-62d5-48a8-a241-ee8a9bd02653}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00c56806-20f5-4396-bc52-bac040c7f2dd}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00c56806-20f5-4396-bc52-bac040c7f2dd}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00e906bc-13aa-4f7a-b288-1a924213e2c8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00e906bc-13aa-4f7a-b288-1a924213e2c8}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0181600d-8384-4d71-8a19-e20515dd6f7c}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0181600d-8384-4d71-8a19-e20515dd6f7c}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\comuid32.dll"

// AutoRun:"Kwijapawogep","rundll32.exe "C:\WINDOWS\elayepeteroq.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\elayepeteroq.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Kwijapawogep"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\elayepeteroq.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\elayepeteroq.dll"

// AutoRun:"rmosnq","RUNDLL32.EXE c:\windows\system32\msyblkya.dll,w","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\msyblkya.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rmosnq"
// File:"<$FILE_EXE>","RUNDLL32.EXE c:\windows\system32\msyblkya.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msyblkya.dll"

// AutoRun:"fabivumaki","Rundll32.exe "momomaju.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\momomaju.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fabivumaki"
// File:"<$FILE_EXE>","Rundll32.exe "momomaju.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\momomaju.dll"

// AutoRun:"kihahizug","Rundll32.exe "c:\windows\system32\nefuwipi.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\nefuwipi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kihahizug"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\nefuwipi.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nefuwipi.dll"

// AutoRun:"fepubosile","Rundll32.exe "tiseluwi.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\tiseluwi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fepubosile"
// File:"<$FILE_EXE>","Rundll32.exe "tiseluwi.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tiseluwi.dll"

// AutoRun:"livafusuva","Rundll32.exe "vozaposo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\vozaposo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","livafusuva"
// File:"<$FILE_EXE>","Rundll32.exe "vozaposo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vozaposo.dll"

// AutoRun:"yepayofub","Rundll32.exe "c:\windows\system32\votudefu.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\votudefu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","yepayofub"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\votudefu.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\votudefu.dll"

// AutoRun:"Jdowohavonaxehiz","rundll32.exe "C:\WINDOWS\ifoqicacepe.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ifoqicacepe.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Jdowohavonaxehiz"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ifoqicacepe.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ifoqicacepe.dll"

// AutoRun:"Tbepulucasicuz","rundll32.exe "c:\windows\aqigeyajo.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\aqigeyajo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Tbepulucasicuz"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\aqigeyajo.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\aqigeyajo.dll"

// AutoRun:"Atavocifalutih","rundll32.exe "C:\WINDOWS\acedomipu.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\acedomipu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Atavocifalutih"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\acedomipu.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\acedomipu.dll"

// AutoRun:"cbyxursys","rundll32.exe "pmlijk.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\pmlijk.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","cbyxursys"
// File:"<$FILE_EXE>","rundll32.exe "pmlijk.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pmlijk.dll"

// AutoRun:"nnkiigdrv","rundll32.exe "vttsrq.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\vttsrq.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nnkiigdrv"
// File:"<$FILE_EXE>","rundll32.exe "vttsrq.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vttsrq.dll"

// AutoRun:"puvubedap","Rundll32.exe "c:\windows\system32\wujohewa.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\wujohewa.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","puvubedap"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\wujohewa.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wujohewa.dll"

// AutoRun:"korelatina","Rundll32.exe "mepepivu.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\mepepivu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","korelatina"
// File:"<$FILE_EXE>","Rundll32.exe "mepepivu.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mepepivu.dll"

// Konnte Spybot nicht löschen:
// AutoRun:"yupigamek","Rundll32.exe "c:\progra~2\nemudodi\nemudodi.dll",a","flagifnofile=1"
AutoRun:"*","<$COMMONAPPDATA>\nemudodi\nemudodi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","yupigamek"
// File:"<$FILE_EXE>","Rundll32.exe "c:\progra~2\nemudodi\nemudodi.dll",a"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\nemudodi\nemudodi.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\nemudodi"

// AutoRun:"muzomofalu","Rundll32.exe "C:\ProgramData\liroteyu\liroteyu.dll",s","flagifnofile=1"
AutoRun:"*","<$COMMONAPPDATA>\liroteyu\liroteyu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","muzomofalu"
// File:"<$FILE_EXE>","Rundll32.exe "C:\ProgramData\liroteyu\liroteyu.dll",s"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\liroteyu\liroteyu.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\liroteyu"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","guwituyu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\guwituyu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nefuwipi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nefuwipi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","jazuyana.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jazuyana.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","yuzevemu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yuzevemu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\votudefu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\votudefu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bufezeza.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bufezeza.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","sijibale.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sijibale.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wujohewa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wujohewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","zurejafig","zurejafig={61aa1956-293d-4a73-9227-6782bda3e225}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tovebogi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","pewuroyid","pewuroyid={b6a08e74-2c8d-4a81-b5f3-000dc2d20e67}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yumuneye.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","tusukonis","tusukonis={d50050f9-90b5-47c6-ac55-85b6bae69889}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nefuwipi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","tozibesup","tozibesup={f2a225df-6efa-4439-93e7-ac2dba31b1d5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\votudefu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","hebekirup","hebekirup={092793ad-6efe-40c8-a628-45e4b16ce5f2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bufezeza.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nehepiden","nehepiden={529dc914-614f-428f-b92c-f134ea95926a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wujohewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={092793ad-6efe-40c8-a628-45e4b16ce5f2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bufezeza.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={529dc914-614f-428f-b92c-f134ea95926a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wujohewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={f2a225df-6efa-4439-93e7-ac2dba31b1d5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\votudefu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={d50050f9-90b5-47c6-ac55-85b6bae69889}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nefuwipi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={61aa1956-293d-4a73-9227-6782bda3e225}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tovebogi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={b6a08e74-2c8d-4a81-b5f3-000dc2d20e67}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yumuneye.dll"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v96

Thread Tools

Display

New Malware v96

Posting Permissions