Detection for Rogue.Antivirus2008

NJones · Jul 25, 2008

Hi guys,
I just have read that there are a lot of users having problems with Antivirus2008 that is not detected by Spybot yet.
So I tried to create some detection rules with the Spybot OpenSBI Editor. I am not sure if I did everything right so I will publish it here:

Code:

:: Rogue.Antivirus2008
// {Cat:Malware}{Cnt:1}
// {Det:N.Jones,2008-07-25}
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","rhc553j0e9cv"
UninstallByKey:"rhc553j0e9cv","0"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\","AntivirXP08"
AutoRun:"SMrhc553j0e9cv","<$PROGRAMFILES>\rhc553j0e9cv\rhc553j0e9cv.exe","filesize>=6000000,filesize<=15000000"
StartmenuItem:"Antivirus XP 2008.lnk","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=1,filesize<=5000"
StartmenuItem:"How to Register Antivirus XP 2008.lnk","filesize>=1,filesize<=5000"
StartmenuItem:"License Agreement.lnk","<$PROGRAMFILES>\rhc553j0e9cv\license.txt","filesize>=1,filesize<=5000"
StartmenuItem:"Register Antivirus XP 2008.lnk","filesize>=1,filesize<=5000"
StartmenuItem:"Uninstall.lnk","<$PROGRAMFILES>\rhc553j0e9cv\Uninstall.exe","filesize>=1,filesize<=5000"
File:"<$FILE_DATA>","<$PROGRAMFILES>\rhc553j0e9cv\database.dat","filesize>=1000,filesize<=3000"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\rhc553j0e9cv\license.txt","filesize=19052,md5=A4CEABD89CABE614F390DD8C7E1B26D2"
File:"<$FILE_EXE>","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=600000,filesize<=20000000"
File:"<$FILE_DATA>","<$PROGRAMFILES>\rhc553j0e9cv\rhc553j0e9cv.exe.local","filesize<=1"
DesktopIcon:"Antivirus XP 2008.lnk","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=1,filesize<=5000"
QuickLaunchIcon:"Antivirus XP 2008.lnk","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=1,filesize<=5000"
File:"<$FILE_EXE>","<$SYSDIR>\*.exe","filesize=94208,md5=CE2A2A5A6F1E7A5D6FA31F5277EAB9AB"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKCU","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKCU\RunOnce","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKLM","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKLM\RunOnce","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\StartMenuAllUsers","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\StartMenuCurrentUser","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\BrowserObjects","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Packages","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\rhc553j0e9cv","filename=database.dat"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\Antivirus XP 2008"
DownloadFile:"*.exe","filesize=1394196,md5=C5B6DD099BCEAAC80510BEADDF1C0312"

Maybe somebody can have a look on it and give me some feedback

regards,
N.Jones

Buster · Jul 25, 2008

Welcome NJones and thanks for sharing these detection rules. Looks quite good so far. But I guess this ID "rhc553j0e9cv" isn't static. Can you send these files to detections@spybot.info?

NJones · Jul 25, 2008

Hello Buster,
I just sent the files to the email adress you mentioned. Before I made my detection rules I installed the samples twice in a virtual machine. Both times the ID was the same but I am quite sure that it will change soon. Is there a way to use wildcards for directories? Or is there another way how I could detect this stuff without using the static name? Additionally I am not sure if I used the startmenu rules in a correct syntax (Is it correctly to use the filerange on that way?)

I am looking forward to hear from you

regards,
N.Jones

MisterW · Jul 29, 2008

Hello N.Jones
If you used the same vmware for both of your tests that could be the reason why the name of the directories was the same.
The filerange you used for your startmenu rules is very big. I think it should be ok to use a smaller one. But the syntax is correct.

regards,
Markus

Detection for Rogue.Antivirus2008

NJones

Guest

Buster

Member of Team Spybot

NJones

Guest

MisterW

Retired