Code:
:: New Malware v14
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-07-05}
// Adware.MyWaySearch:
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{4D25F926-B9FE-4682-BF72-8AB8210D6D75}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4D25F921-B9FE-4682-BF72-8AB8210D6D75}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4D25F921-B9FE-4682-BF72-8AB8210D6D75}"
AutoRun:"My Web Search Community Tools","<$PROGRAMFILES>\MyWebSearch\bar\2.bin\m3IMPipe.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","My Web Search Community Tools"
File:"<$FILE_EXE>","<$PROGRAMFILES>\MyWebSearch\bar\2.bin\m3IMPipe.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll"
// Adware.RelevantKnowledge:
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rlai.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","RelevantKnowledge","DllName=<$SYSDIR>\rlls.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rlai.dl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rlls.dll"
// Adware.SaveNow:
AutoRun:"Save","<$APPDATA>\Save\Save.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Save"
File:"<$FILE_EXE>","<$APPDATA>\Save\Save.exe"
Directory:"<$DIR_PROG>","<$APPDATA>\Save","filename=Save.exe"
// Malware.Mirar:
BrowserHelperEx:"Mirar",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9E976D51-45AD-4C04-832E-7FF6670F916D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9E976D51-45AD-4C04-832E-7FF6670F916D}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{239FF45C-AEFB-4D35-82DE-9F707CBC426F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{239FF45C-AEFB-4D35-82DE-9F707CBC426F}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{9E976D50-45AD-4C04-832E-7FF6670F916D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9E976D50-45AD-4C04-832E-7FF6670F916D}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\win??78.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\SysWow64\win??78.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\win??78.dll"
Directory:"<$DIR_PROG>","<$WINDIR>\SysWow64","filename=win??78.dll"
// Malware.Unknown(1):
AutoRun:"A00F33A19322.exe","<$LOCALSETTINGS>\Temp\_A00F33A19322.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","A00F33A19322.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\_A00F33A19322.exe"
// Malware.Unknown(2):
AutoRun:"helper.dll","<$PROGRAMFILES>\3721\helper.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","helper.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\3721\helper.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\3721","filename=helper.dll"
// Malware.Zbot:
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\sdra64.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, Malware.Zbot"
File:"<$FILE_EXE>","<$SYSDIR>\sdra64.exe"
// Rogue.SpywareProtection2009:
BrowserHelperEx:"BHO",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{029d18cb-8632-463c-93b7-c210ae50c722}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{029d18cb-8632-463c-93b7-c210ae50c722}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8567EDFA-408C-43e9-B929-4C25C04F5003}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8567EDFA-408C-43e9-B929-4C25C04F5003}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iehelper.dll"
// Rogue.SystemSecurity:
AutoRun:"kell","<$PROGRAMFILES>\manson\liser.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","kell"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$PROGRAMFILES>\manson\liser.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\manson\liser.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\manson","filename=liser.exe"
// Rogue.Unknown:
AutoRun:"17508434","<$COMMONAPPDATA>\17508434\17508434.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","17508434"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\17508434\17508434.exe"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\17508434"
// Trojan.Downloader(1):
BrowserHelperEx:"IEHlprObj Class",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{AF4DA69B-E1D6-469A-855B-6445294857D4}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{AF4DA69B-E1D6-469A-855B-6445294857D4}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ahnxsds?.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bgdferw?.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bgotrtu?.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\7hjetrr0.dll"
// Trojan.Downloader(2):
AutoRun:"Cognac","<$LOCALAPPDATA>\Temp\ABDC.tmp.exe","flagifnofile=1"
AutoRun:"ColdWare","<$WINDIR>\msc.exe","flagifnofile=1"
AutoRun:"Cognac","<$LOCALSETTINGS>\temp\d.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cognac"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ColdWare"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\ABDC.tmp.exe"
File:"<$FILE_EXE>","<$WINDIR>\msc.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\temp\d.exe"
// Trojan.Ertfor:
BrowserHelperEx:"<$SYSDIR>\gsf83iujid.dll",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{d76ab2a1-00f3-42bd-f434-00bbc39c8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{d76ab2a1-00f3-42bd-f434-00bbc39c8953}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D76AB2A1-00F3-42BD-F434-00BBC39C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D76AB2A1-00F3-42BD-F434-00BBC39C8953}"
AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\re6q60.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\re6q60.exe","flagifnofile=0"
AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\iwt2k.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\iwt2k.exe","flagifnofile=0"
AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\vz735ap.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\vz735ap.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf7husjnfg98gi498aejhiugjkdg4"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","rtasgvfu76ew8ndkfno94","rtasgvfu76ew8ndkfno94={D76AB2A1-00F3-42BD-F434-00BBC39C8953}"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\re6q60.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\iwt2k.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\vz735ap.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gsf83iujid.dll"
// Trojan.FakeAlert:
AutoRun:"LowRiskFileTypes","<$WINDIR>\sysguard.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","LowRiskFileTypes"
File:"<$FILE_EXE>","<$WINDIR>\sysguard.exe"
// Trojan.Knockit:
AutoRun:"WMDM PMSP Service","<$SYSDIR>\cssrss.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WMDM PMSP Service"
File:"<$FILE_EXE>","<$SYSDIR>\cssrss.exe"
// Trojan.LowZones:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","lich","ImagePath=<$SYSDIR>\lich.exe"
File:"<$FILE_SERVICE>","<$SYSDIR>\lich.exe"
// Trojan.Unknown(1):
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\gwd.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Dokum ente und Einstellungen\Nico\gwd.exe \s Trojan.Unknown"
File:"<$FILE_EXE>","<$PROFILE>\gwd.exe"
// Trojan.Unknown(2):
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\kwu.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Misael\kwu.exe \s Trojan.Unknown"
File:"<$FILE_EXE>","<$PROFILE>\kwu.exe"
// Trojan.Unknown(3):
AutoRun:"kvasoft","<$SYSDIR>\kva8wr.exe","flagifnofile=1"
AutoRun:"ahnsoft","<$SYSDIR>\ahnsbsb.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","kvasoft"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ahnsoft"
File:"<$FILE_EXE>","<$SYSDIR>\kva8wr.exe"
File:"<$FILE_EXE>","<$SYSDIR>\ahnsbsb.exe"
// Trojan.Unknown(4), Dateiname passt sich dem Benutzernamen an:
AutoRun:"Pat","<$PROFILES>\Pat\Pat.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Pat"
File:"<$FILE_EXE>","<$PROFILES>\Pat\Pat.exe"
// Trojan.Unknown(5):
AutoRun:"Windows System Recover!","<$LOCALSETTINGS>\Temp\taskmgr.exe","flagifnofile=1"
AutoRun:"Windows System Recover!","<$LOCALSETTINGS>\Temp\services.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Recover!"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\taskmgr.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\services.exe"
// Trojan.Unknown(6):
AutoRun:"feltv","<$SYSDIR>\feltv.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","feltv"
File:"<$FILE_EXE>","<$SYSDIR>\feltv.exe"
// Trojan.Unknown(7):
AutoRun:"rgc94vj0ec1t","<$SYSDIR>\qgce4vj0ec1t.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rgc94vj0ec1t"
File:"<$FILE_EXE>","<$SYSDIR>\qgce4vj0ec1t.exe"
// Trojan.Unknown(8):
AutoRun:"7b6emhqv","<$SYSDIR>\7b6emhqv.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","7b6emhqv"
File:"<$FILE_EXE>","<$SYSDIR>\7b6emhqv.exe"
// Trojan.Unknown(9):
AutoRun:"cftmon","<$SYSDIR>\igwl.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","cftmon"
File:"<$FILE_EXE>","<$SYSDIR>\igwl.exe"
// Trojan.Unknown(10):
AutoRun:"UIUCU","<$LOCALSETTINGS>\Temp\UIUCU.EXE","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","UIUCU"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\UIUCU.EXE"
// Trojan.Unknown(11):
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ydsisg.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","secibw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ydsisg.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\secibw.dll"
// Trojan.Unknown(12):
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\*mxx.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\TEMP\*mxx.dll"
File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\*mxx.dll"
// Trojan.Unknown(13):
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","TYzIvwFqyZx","TYzIvwFqyZx={F8063C18-52AC-96B2-8FA5-7BB0C59920DE}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ewq.dll"
// Trojan.Virtomonde:
BrowserHelperEx:"{d06bef43-84af-f4eb-d174-bc2dca31fdac}",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{ad2821c4-7eac-471a-98ea-eb6830452ef9}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{ad2821c4-7eac-471a-98ea-eb6830452ef9}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a49c65e5-3cca-4fb4-8703-f2cd5da3f5a1}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a49c65e5-3cca-4fb4-8703-f2cd5da3f5a1}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{B977FE3A-C5CF-4719-A69F-8C5C8A5B482F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B977FE3A-C5CF-4719-A69F-8C5C8A5B482F}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{cadf13ac-d2cb-471d-be4f-fa4834feb60d}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{cadf13ac-d2cb-471d-be4f-fa4834feb60d}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8B2A62D8-E333-42C1-955B-DC5278F9FF4D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8B2A62D8-E333-42C1-955B-DC5278F9FF4D}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D789FB8B-BEB5-4ECB-B3EE-C3673530D3D3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D789FB8B-BEB5-4ECB-B3EE-C3673530D3D3}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{3E92B715-495F-4C58-A770-166D68E9544D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{3E92B715-495F-4C58-A770-166D68E9544D}"
AutoRun:"net","<$SYSDIR>\net.net","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\hekajezo.dll","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\nakuteye.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","net"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","net"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","a8453c32"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nepowijipe"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bedezn.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dogatidi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rjmzba.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vrqgfa.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pewejima1.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pewejima.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ylwumy"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","fqjjmi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ldlsfj.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yavipeje.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","quiyav.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","josmkp.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","byxvvtr","DllName=<$SYSDIR>\byxvvtr.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ioqoilpx","DllName=<$SYSDIR>\ywrdohk.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","geBqQGwv"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","cbcecbcccdfa","DllName=<$SYSDIR>\cbcecbcccdfa.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","fccbBssq","DllName=fccbBssq.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0073cb4","DllName=<$SYSDIR>\__c0073CB4.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","geedb","DllName=<$SYSDIR>\geedb.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","bYoomKee","DllName=<$SYSDIR>\bYoomKee.dll"
File:"<$FILE_EXE>","<$SYSDIR>\net.net"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jujutoji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yetodiho.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iifdcBSm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ylwumy.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vtsqq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ywrdohk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\urqNDWMF.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hekajezo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nakuteye.dll"
File:"<$FILE_DATA>","<$SYSDIR>\__c0073CB4.dat"
File:"<$FILE_LIBRARY>","<$SYSDIR>\geedb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bedezn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dogatidi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rjmzba.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vrqgfa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pewejima1.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pewejima.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fqjjmi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ldlsfj.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yavipeje.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\quiyav.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\josmkp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\byxvvtr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ywrdohk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cbcecbcccdfa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fccbBssq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bYoomKee.dll"
// Trojan.Zlob-Downloader:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kvxqmtre","kvxqmtre={4BD2C3BB-696E-4D44-B8F7-083215415D25}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","evgratsm","evgratsm={5424224E-ED69-4DA2-A9A0-6190B9FCC156}"
// Worm.Koobface:
AutoRun:"sysldtray","<$WINDIR>\ld??.exe","flagifnofile=1"
AutoRun:"pp","<$WINDIR>\pp??.exe","flagifnofile=1"
AutoRun:"sysmstray","<$WINDIR>\mstre??.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysldtray"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","pp"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysmstray"
File:"<$FILE_EXE>","<$WINDIR>\ld??.exe"
File:"<$FILE_EXE>","<$WINDIR>\pp??.exe"
File:"<$FILE_EXE>","<$WINDIR>\mstre??.exe"