New Malware v99

**Matt** · 2010-04-10, 17:06

I've collected detection rules for the following Malware:

Malware.Fraud.DesktopSecurity2010
Malware.Smitfraud
Rootkit.TDSS
Trojan.Agent
Trojan.FakeAlert.ttam(2)
Trojan.Virtumonde(2)
Worm.Kolab

Category: Trojan

Code:

:: New Malware v99
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-10}


// Malware.Fraud.DesktopSecurity2010:
// Bitte um Kontrolle, ob ihr schon beide Autostart-Einträge habt!
// AutoRun:"Desktop Security 2010","c:\users\ben\appdata\roaming\desktop security 2010\Desktop Security 2010.exe","flagifnofile=1"
AutoRun:"Desktop Security 2010","<$APPDATA>\roaming\desktop security 2010\Desktop Security 2010.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Desktop Security 2010"
// File:"<$FILE_EXE>","c:\users\ben\appdata\roaming\desktop security 2010\Desktop Security 2010.exe"
File:"<$FILE_EXE>","<$APPDATA>\roaming\desktop security 2010\Desktop Security 2010.exe"
// AutoRun:"SecurityCenter","c:\users\ben\appdata\roaming\desktop security 2010\securitycenter.exe","flagifnofile=1"
AutoRun:"SecurityCenter","<$APPDATA>\roaming\desktop security 2010\securitycenter.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SecurityCenter"
// File:"<$FILE_EXE>","c:\users\ben\appdata\roaming\desktop security 2010\securitycenter.exe"
File:"<$FILE_EXE>","<$APPDATA>\roaming\desktop security 2010\securitycenter.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\roaming\desktop security 2010"


// Malware.Smitfraud:
// Bitte um Kontrolle, ob ihr diese Einträge schon habt! :-)
// http://www.systemlookup.com/CLSID/54353-rafbsvnx_dll.html
BrowserHelperEx:"rafbsvnx","filename=rafbsvnx.dll"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{C46300D6-BEA7-42DB-B65D-90D566CC6CB2}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C46300D6-BEA7-42DB-B65D-90D566CC6CB2}"
File:"<$FILE_LIBRARY>","<$WINDIR>\rafbsvnx.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vtqnxfko","vtqnxfko={08F73A7A-3A76-41FD-86F2-26A68168D546}"
File:"<$FILE_LIBRARY>","<$WINDIR>\vtqnxfko.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","tsxngabr","tsxngabr={C6C3B224-1836-449B-825A-B4878D1BA159}"
File:"<$FILE_LIBRARY>","<$WINDIR>\tsxngabr.dll"


// Rootkit.TDSS:
// Aus einem Logfile von GMER
// Bitte um Kontrolle, ob ihr das schon habt, da Spybot nichts gefunden hat bzw. blockiert wurde!
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd@start 1
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd@type 1
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd@group file system
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd@imagepath \systemroot\system32\drivers\SKYNETiswpjcvn.sys
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\main (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\main@aid 10002
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\main@sid 1
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\main@cmddelay 14400
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\main\delete (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\main\injector (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\main\injector@* SKYNETwsp.dll
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\main\tasks (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\modules (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETiswpjcvn.sys
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\modules@SKYNETcmd.dll \systemroot\system32\SKYNETlirkujgo.dll
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\modules@SKYNETlog.dat \systemroot\system32\SKYNETyoirxrxo.dat
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwmctpejk.dll
// Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETgoeaftsd\modules@SKYNET.dat \systemroot\system32\SKYNETsjxijtve.dat


// Trojan.Agent:
// Die Datei mscjm.exe scheint auf jeden Tall böse zu sein, siehe dazu dieses Ergebnis bei VirusTotal:
// http://www.virustotal.com/analisis/532ec253f475d9e5c27d68f99c7986cd80f421e62b996e03da077d8ee5a4921d-1265041612
// Vielleicht könnt ihr ja zumindest einen oder zwei Einträge übernehmen... habe leider keine files :-(   Evtl. habt ihr ja was in der Datenbank? ;-)
// AutoRun:"DriverLoad","c:\windows\temp\dl1.exe","flagifnofile=1"
AutoRun:"DriverLoad","<$WINDIR>\temp\dl?.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","DriverLoad"
// File:"<$FILE_EXE>","c:\windows\temp\dl1.exe"
File:"<$FILE_EXE>","<$WINDIR>\temp\dl1.exe"
// AutoRun:"DriverCheck","c:\windows\temp\dl1.exe","flagifnofile=1"
AutoRun:"DriverCheck","<$WINDIR>\temp\dl?.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","DriverCheck"
// File:"<$FILE_EXE>","c:\windows\temp\dl1.exe"
// AutoRun:"mscj.exe","\MSA\mscj.exe","flagifnofile=1"
AutoRun:"mscj.exe","<$SYSDRIVE>\MSA\mscj.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mscj.exe"
// File:"<$FILE_EXE>","\MSA\mscj.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\MSA\mscj.exe"
// AutoRun:"mscjm.exe","\MSA\mscjm.exe","flagifnofile=1"
AutoRun:"mscjm.exe","<$SYSDRIVE>\MSA\mscjm.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mscjm.exe"
// File:"<$FILE_EXE>","\MSA\mscjm.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\MSA\mscjm.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\MSA","filename=mscjm.exe"


// Trojan.FakeAlert.ttam(1):
// Bitte um Kontrolle, ob ihr diesen Pfad auch schon habt!
BrowserHelperEx:"D","filename=kx?????.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{73AF155F-9623-3F62-AEB1-83242B434A59}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{73AF155F-9623-3F62-AEB1-83242B434A59}"
File:"<$FILE_LIBRARY>","<$WINDIR>\kx14427.dll"


// Trojan.FakeAlert.ttam(2):
// AutoRun:"explorat","C:\WINDOWS\system32:rundll32.exe","flagifnofile=1"
AutoRun:"explorat","<$WINDIR>\system32:rundll32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","explorat"
// File:"<$FILE_EXE>","C:\WINDOWS\system32:rundll32.exe"
File:"<$FILE_EXE>","<$WINDIR>\system32:rundll32.exe"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=mojujebu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8f8195e0-0dd9-42ff-abb9-a5a8b4a55c02}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8f8195e0-0dd9-42ff-abb9-a5a8b4a55c02}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mojujebu.dll"

BrowserHelperEx:"*","filename=kpayifo.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{EBDF26CB-0EA7-4D76-9185-77F568392F4E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{EBDF26CB-0EA7-4D76-9185-77F568392F4E}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kpayifo.dll"

BrowserHelperEx:"*","filename=tepidike.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2d888a3e-8b4d-45f2-a970-f5f67ce492ac}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2d888a3e-8b4d-45f2-a970-f5f67ce492ac}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tepidike.dll"

BrowserHelperEx:"*","filename=p9jrkipg3g.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\p9jrkipg3g.dll"

BrowserHelperEx:"*","filename=mikolobe.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8bd9b2b4-469a-482c-83f1-545d55240f22}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8bd9b2b4-469a-482c-83f1-545d55240f22}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mikolobe.dll"

// AutoRun:"vugutuwuy","Rundll32.exe "c:\windows\system32\devoresi.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\devoresi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vugutuwuy"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\devoresi.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\devoresi.dll"

// AutoRun:"dopitupuso","Rundll32.exe "lakovazo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\lakovazo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","dopitupuso"
// File:"<$FILE_EXE>","Rundll32.exe "lakovazo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lakovazo.dll"

// AutoRun:"hijalodaji","Rundll32.exe "zufefomu.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\zufefomu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","hijalodaji"
// File:"<$FILE_EXE>","Rundll32.exe "zufefomu.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufefomu.dll"

// AutoRun:"sanivowis","Rundll32.exe "c:\windows\system32\meridewa.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\meridewa.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sanivowis"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\meridewa.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\meridewa.dll"

// AutoRun:"wafadujoyo","Rundll32.exe "satukivu.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\satukivu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wafadujoyo"
// File:"<$FILE_EXE>","Rundll32.exe "satukivu.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\satukivu.dll"

// AutoRun:"vudenehiz","Rundll32.exe "c:\windows\system32\peliziru.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\peliziru.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vudenehiz"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\peliziru.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\peliziru.dll"

// AutoRun:"gebuwidifi","Rundll32.exe "yehifuni.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\yehifuni.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","gebuwidifi"
// File:"<$FILE_EXE>","Rundll32.exe "yehifuni.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yehifuni.dll"

// AutoRun:"bihapojuv","Rundll32.exe "c:\windows\system32\sidenohe.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\sidenohe.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","bihapojuv"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\sidenohe.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sidenohe.dll"

// AutoRun:"Uyefib","rundll32.exe "C:\WINDOWS\otaworuc.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\otaworuc.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Uyefib"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\otaworuc.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\otaworuc.dll"

// AutoRun:"rmosnq","RUNDLL32.EXE C:\WINDOWS\system32\msyblkya.dll,w","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\msyblkya.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rmosnq"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\WINDOWS\system32\msyblkya.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msyblkya.dll"

// AutoRun:"uxvefl","RUNDLL32.EXE C:\WINDOWS\system32\mssapsmr.dll,w","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\mssapsmr.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","uxvefl"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\WINDOWS\system32\mssapsmr.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mssapsmr.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kakekuze.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kakekuze.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\devoresi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\devoresi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","jogopamo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jogopamo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","hefoyufu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hefoyufu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tumuwaku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tumuwaku.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\meridewa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\meridewa.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","sumonibe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sumonibe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\peliziru.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\peliziru.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","luzilufe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\luzilufe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\baniwiki.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\baniwiki.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sidenohe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sidenohe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kadufajad","kadufajad={c19be888-47a2-43f9-8fe4-2bb7deebbd81}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kakekuze.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","sejiwikes","sejiwikes={cd73fd80-e96e-4482-950d-f084e85f7ff4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\devoresi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","gigulibaj","gigulibaj={654dc9fb-44bb-49ac-83f6-6f349c921f6e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tumuwaku.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kunotavik","kunotavik={d85e6956-0199-4602-a54b-9db6dc450d59}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\meridewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rehupimed","rehupimed={f89008f7-d34b-4613-813b-244d21f33a79}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\peliziru.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","jufowifup","jufowifup={84bbf7e6-22d9-407d-9bf7-f940f0421e2e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\baniwiki.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yenuvazeg","yenuvazeg={6d19d00d-3261-44a1-8e85-746997ab1f8c}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sidenohe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={84bbf7e6-22d9-407d-9bf7-f940f0421e2e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\baniwiki.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={6d19d00d-3261-44a1-8e85-746997ab1f8c}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sidenohe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={f89008f7-d34b-4613-813b-244d21f33a79}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\peliziru.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={654dc9fb-44bb-49ac-83f6-6f349c921f6e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tumuwaku.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={d85e6956-0199-4602-a54b-9db6dc450d59}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\meridewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={c19be888-47a2-43f9-8fe4-2bb7deebbd81}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kakekuze.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={cd73fd80-e96e-4482-950d-f084e85f7ff4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\devoresi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={39e358d5-6560-418b-ae86-1392a75421a3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yitefuko.dll"


// Trojan.Virtumonde(2):
// Aus einem Logfile von ComboFix
File:"<$FILE_LIBRARY>","<$SYSDIR>\zlibwapi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jevaziji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kefuyave.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hoguhora.dll"


// Worm.Kolab:
// Name nach Symantec
// Siehe auch hier: http://www.systemlookup.com/Startup/20954-ccdrive32_exe.html
AutoRun:"Microsoft Driver Setup","<$WINDIR>\cidrive32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Driver Setup"
File:"<$FILE_EXE>","<$WINDIR>\cidrive32.exe"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v99

Thread Tools

Display

New Malware v99

Posting Permissions