Results 1 to 1 of 1

Thread: New Malware v14

  1. #1
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Smile New Malware v14

    I've collected detection rules for the following Malware:
    • Adware.MyWaySearch
    • Adware.RelevantKnowledge
    • Adware.SaveNow
    • Malware.Mirar
    • Malware.Unknown(2)
    • Malware.Zbot
    • Rogue.SpywareProtection2009
    • Rogue.SystemSecurity
    • Rogue.Unknown
    • Trojan.Downloader(2)
    • Trojan.Ertfor
    • Trojan.FakeAlert
    • Trojan.Knockit
    • Trojan.LowZones
    • Trojan.Unknown(13)
    • Trojan.Virtomonde
    • Trojan.Zlob-Downloader
    • Worm.Koobface


    Every feedback will be accepted gratefully.
    Category: Trojan
    Code:
    :: New Malware v14
    // Revision 1
    // {Cat:Trojan}{Cnt:1}
    // {Det:Matt,2009-07-05}
    
    
    // Adware.MyWaySearch:
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{4D25F926-B9FE-4682-BF72-8AB8210D6D75}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4D25F921-B9FE-4682-BF72-8AB8210D6D75}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4D25F921-B9FE-4682-BF72-8AB8210D6D75}"
    AutoRun:"My Web Search Community Tools","<$PROGRAMFILES>\MyWebSearch\bar\2.bin\m3IMPipe.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","My Web Search Community Tools"
    File:"<$FILE_EXE>","<$PROGRAMFILES>\MyWebSearch\bar\2.bin\m3IMPipe.exe"
    File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll"
    
    // Adware.RelevantKnowledge:
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rlai.dll"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","RelevantKnowledge","DllName=<$SYSDIR>\rlls.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\rlai.dl"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\rlls.dll"
    
    // Adware.SaveNow:
    AutoRun:"Save","<$APPDATA>\Save\Save.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Save"
    File:"<$FILE_EXE>","<$APPDATA>\Save\Save.exe"
    Directory:"<$DIR_PROG>","<$APPDATA>\Save","filename=Save.exe"
    
    // Malware.Mirar:
    BrowserHelperEx:"Mirar",
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9E976D51-45AD-4C04-832E-7FF6670F916D}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9E976D51-45AD-4C04-832E-7FF6670F916D}"
    RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{239FF45C-AEFB-4D35-82DE-9F707CBC426F}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{239FF45C-AEFB-4D35-82DE-9F707CBC426F}"
    RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{9E976D50-45AD-4C04-832E-7FF6670F916D}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9E976D50-45AD-4C04-832E-7FF6670F916D}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\win??78.dll"
    File:"<$FILE_LIBRARY>","<$WINDIR>\SysWow64\win??78.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\win??78.dll"
    Directory:"<$DIR_PROG>","<$WINDIR>\SysWow64","filename=win??78.dll"
    
    // Malware.Unknown(1):
    AutoRun:"A00F33A19322.exe","<$LOCALSETTINGS>\Temp\_A00F33A19322.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","A00F33A19322.exe"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\_A00F33A19322.exe"
    
    // Malware.Unknown(2):
    AutoRun:"helper.dll","<$PROGRAMFILES>\3721\helper.dll","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","helper.dll"
    File:"<$FILE_EXE>","<$PROGRAMFILES>\3721\helper.dll"
    Directory:"<$DIR_PROG>","<$PROGRAMFILES>\3721","filename=helper.dll"
    
    // Malware.Zbot:
    RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\sdra64.exe"
    // RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,  Malware.Zbot"
    File:"<$FILE_EXE>","<$SYSDIR>\sdra64.exe"
    
    // Rogue.SpywareProtection2009:
    BrowserHelperEx:"BHO",
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{029d18cb-8632-463c-93b7-c210ae50c722}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{029d18cb-8632-463c-93b7-c210ae50c722}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8567EDFA-408C-43e9-B929-4C25C04F5003}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8567EDFA-408C-43e9-B929-4C25C04F5003}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\iehelper.dll"
    
    // Rogue.SystemSecurity:
    AutoRun:"kell","<$PROGRAMFILES>\manson\liser.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","kell"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$PROGRAMFILES>\manson\liser.dll"
    File:"<$FILE_EXE>","<$PROGRAMFILES>\manson\liser.exe"
    Directory:"<$DIR_PROG>","<$PROGRAMFILES>\manson","filename=liser.exe"
    
    // Rogue.Unknown:
    AutoRun:"17508434","<$COMMONAPPDATA>\17508434\17508434.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","17508434"
    File:"<$FILE_EXE>","<$COMMONAPPDATA>\17508434\17508434.exe"
    Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\17508434"
    
    // Trojan.Downloader(1):
    BrowserHelperEx:"IEHlprObj Class",
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{AF4DA69B-E1D6-469A-855B-6445294857D4}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{AF4DA69B-E1D6-469A-855B-6445294857D4}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ahnxsds?.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\bgdferw?.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\bgotrtu?.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\7hjetrr0.dll"
    
    // Trojan.Downloader(2):
    AutoRun:"Cognac","<$LOCALAPPDATA>\Temp\ABDC.tmp.exe","flagifnofile=1"
    AutoRun:"ColdWare","<$WINDIR>\msc.exe","flagifnofile=1"
    AutoRun:"Cognac","<$LOCALSETTINGS>\temp\d.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cognac"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ColdWare"
    File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\ABDC.tmp.exe"
    File:"<$FILE_EXE>","<$WINDIR>\msc.exe"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\temp\d.exe"
    
    // Trojan.Ertfor:
    BrowserHelperEx:"<$SYSDIR>\gsf83iujid.dll",
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{d76ab2a1-00f3-42bd-f434-00bbc39c8953}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{d76ab2a1-00f3-42bd-f434-00bbc39c8953}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D76AB2A1-00F3-42BD-F434-00BBC39C8953}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D76AB2A1-00F3-42BD-F434-00BBC39C8953}"
    AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\re6q60.exe","flagifnofile=1"
    AutoRun:"*","<$LOCALSETTINGS>\Temp\re6q60.exe","flagifnofile=0"
    AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\iwt2k.exe","flagifnofile=1"
    AutoRun:"*","<$LOCALSETTINGS>\Temp\iwt2k.exe","flagifnofile=0"
    AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\vz735ap.exe","flagifnofile=1"
    AutoRun:"*","<$LOCALSETTINGS>\Temp\vz735ap.exe","flagifnofile=0"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf7husjnfg98gi498aejhiugjkdg4"
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","rtasgvfu76ew8ndkfno94","rtasgvfu76ew8ndkfno94={D76AB2A1-00F3-42BD-F434-00BBC39C8953}"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\re6q60.exe"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\iwt2k.exe"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\vz735ap.exe"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\gsf83iujid.dll"
    
    // Trojan.FakeAlert:
    AutoRun:"LowRiskFileTypes","<$WINDIR>\sysguard.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","LowRiskFileTypes"
    File:"<$FILE_EXE>","<$WINDIR>\sysguard.exe"
    
    // Trojan.Knockit:
    AutoRun:"WMDM PMSP Service","<$SYSDIR>\cssrss.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WMDM PMSP Service"
    File:"<$FILE_EXE>","<$SYSDIR>\cssrss.exe"
    
    // Trojan.LowZones:
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","lich","ImagePath=<$SYSDIR>\lich.exe"
    File:"<$FILE_SERVICE>","<$SYSDIR>\lich.exe"
    
    // Trojan.Unknown(1):
    RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\gwd.exe"
    // RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Dokum ente und Einstellungen\Nico\gwd.exe \s  Trojan.Unknown"
    File:"<$FILE_EXE>","<$PROFILE>\gwd.exe"
    
    // Trojan.Unknown(2):
    RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\kwu.exe"
    // RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Misael\kwu.exe \s Trojan.Unknown"
    File:"<$FILE_EXE>","<$PROFILE>\kwu.exe"
    
    // Trojan.Unknown(3):
    AutoRun:"kvasoft","<$SYSDIR>\kva8wr.exe","flagifnofile=1"
    AutoRun:"ahnsoft","<$SYSDIR>\ahnsbsb.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","kvasoft"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ahnsoft"
    File:"<$FILE_EXE>","<$SYSDIR>\kva8wr.exe"
    File:"<$FILE_EXE>","<$SYSDIR>\ahnsbsb.exe"
    
    // Trojan.Unknown(4), Dateiname passt sich dem Benutzernamen an:
    AutoRun:"Pat","<$PROFILES>\Pat\Pat.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Pat"
    File:"<$FILE_EXE>","<$PROFILES>\Pat\Pat.exe"
    
    // Trojan.Unknown(5):
    AutoRun:"Windows System Recover!","<$LOCALSETTINGS>\Temp\taskmgr.exe","flagifnofile=1"
    AutoRun:"Windows System Recover!","<$LOCALSETTINGS>\Temp\services.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Recover!"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\taskmgr.exe"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\services.exe"
    
    // Trojan.Unknown(6):
    AutoRun:"feltv","<$SYSDIR>\feltv.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","feltv"
    File:"<$FILE_EXE>","<$SYSDIR>\feltv.exe"
    
    // Trojan.Unknown(7):
    AutoRun:"rgc94vj0ec1t","<$SYSDIR>\qgce4vj0ec1t.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rgc94vj0ec1t"
    File:"<$FILE_EXE>","<$SYSDIR>\qgce4vj0ec1t.exe"
    
    // Trojan.Unknown(8):
    AutoRun:"7b6emhqv","<$SYSDIR>\7b6emhqv.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","7b6emhqv"
    File:"<$FILE_EXE>","<$SYSDIR>\7b6emhqv.exe"
    
    // Trojan.Unknown(9):
    AutoRun:"cftmon","<$SYSDIR>\igwl.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","cftmon"
    File:"<$FILE_EXE>","<$SYSDIR>\igwl.exe"
    
    // Trojan.Unknown(10):
    AutoRun:"UIUCU","<$LOCALSETTINGS>\Temp\UIUCU.EXE","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","UIUCU"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\UIUCU.EXE"
    
    // Trojan.Unknown(11):
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ydsisg.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","secibw.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ydsisg.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\secibw.dll"
    
    // Trojan.Unknown(12):
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\*mxx.dll"
    File:"<$FILE_LIBRARY>","<$WINDIR>\TEMP\*mxx.dll"
    File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\*mxx.dll"
    
    // Trojan.Unknown(13):
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","TYzIvwFqyZx","TYzIvwFqyZx={F8063C18-52AC-96B2-8FA5-7BB0C59920DE}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ewq.dll"
    
    // Trojan.Virtomonde:
    BrowserHelperEx:"{d06bef43-84af-f4eb-d174-bc2dca31fdac}",
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{ad2821c4-7eac-471a-98ea-eb6830452ef9}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{ad2821c4-7eac-471a-98ea-eb6830452ef9}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a49c65e5-3cca-4fb4-8703-f2cd5da3f5a1}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a49c65e5-3cca-4fb4-8703-f2cd5da3f5a1}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{B977FE3A-C5CF-4719-A69F-8C5C8A5B482F}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B977FE3A-C5CF-4719-A69F-8C5C8A5B482F}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{cadf13ac-d2cb-471d-be4f-fa4834feb60d}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{cadf13ac-d2cb-471d-be4f-fa4834feb60d}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8B2A62D8-E333-42C1-955B-DC5278F9FF4D}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8B2A62D8-E333-42C1-955B-DC5278F9FF4D}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D789FB8B-BEB5-4ECB-B3EE-C3673530D3D3}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D789FB8B-BEB5-4ECB-B3EE-C3673530D3D3}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{3E92B715-495F-4C58-A770-166D68E9544D}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{3E92B715-495F-4C58-A770-166D68E9544D}"
    AutoRun:"net","<$SYSDIR>\net.net","flagifnofile=1"
    AutoRun:"*","<$SYSDIR>\hekajezo.dll","flagifnofile=0"
    AutoRun:"*","<$SYSDIR>\nakuteye.dll","flagifnofile=0"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","net"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","net"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","a8453c32"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nepowijipe"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bedezn.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dogatidi.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rjmzba.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vrqgfa.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pewejima1.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pewejima.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ylwumy"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","fqjjmi.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ldlsfj.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yavipeje.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","quiyav.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","josmkp.dll"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","byxvvtr","DllName=<$SYSDIR>\byxvvtr.dll"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ioqoilpx","DllName=<$SYSDIR>\ywrdohk.dll"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","geBqQGwv"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","cbcecbcccdfa","DllName=<$SYSDIR>\cbcecbcccdfa.dll"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","fccbBssq","DllName=fccbBssq.dll"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0073cb4","DllName=<$SYSDIR>\__c0073CB4.dat"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","geedb","DllName=<$SYSDIR>\geedb.dll"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","bYoomKee","DllName=<$SYSDIR>\bYoomKee.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\net.net"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\jujutoji.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\yetodiho.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\iifdcBSm.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ylwumy.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\vtsqq.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ywrdohk.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\urqNDWMF.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\hekajezo.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\nakuteye.dll"
    File:"<$FILE_DATA>","<$SYSDIR>\__c0073CB4.dat"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\geedb.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\bedezn.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\dogatidi.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\rjmzba.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\vrqgfa.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\pewejima1.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\pewejima.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\fqjjmi.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ldlsfj.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\yavipeje.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\quiyav.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\josmkp.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\byxvvtr.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ywrdohk.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\cbcecbcccdfa.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\fccbBssq.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\bYoomKee.dll"
    
    // Trojan.Zlob-Downloader:
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kvxqmtre","kvxqmtre={4BD2C3BB-696E-4D44-B8F7-083215415D25}"
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","evgratsm","evgratsm={5424224E-ED69-4DA2-A9A0-6190B9FCC156}"
    
    // Worm.Koobface:
    AutoRun:"sysldtray","<$WINDIR>\ld??.exe","flagifnofile=1"
    AutoRun:"pp","<$WINDIR>\pp??.exe","flagifnofile=1"
    AutoRun:"sysmstray","<$WINDIR>\mstre??.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysldtray"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","pp"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysmstray"
    File:"<$FILE_EXE>","<$WINDIR>\ld??.exe"
    File:"<$FILE_EXE>","<$WINDIR>\pp??.exe"
    File:"<$FILE_EXE>","<$WINDIR>\mstre??.exe"
    Downloads: 0Rating: 5 (rated by 1 user)
    Last edited by Matt; 2009-07-06 at 00:53.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •