PepiMK
2008-07-11, 09:08
Already posted it in the Wiki, but since a Wiki isn't useful to ask questions etc., I'm going to add it here as well:
Examples:Spectorsoft eBlaster 5 (Keylogger) (http://wiki.spybot.info/index.php/Examples:Spectorsoft_eBlaster_5_%28Keylogger%29)
// info: OpenSBI example
// author: Patrick M. Kolla (PepiMK)
// date: 2008-05-23 (1.6)
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.
// count: 14
:: Spectorsoftware.eBlaster.5
// {Cat:Keylogger}{Cnt:1}
// {Det:patrick,2008-05-23}
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{2BE166ED-F16C-46de-B623-3575FD9B5D6D}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{4924E02A-C3A1-43ED-9EF2-28B8222039CC}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{8F3CA4AA-CD58-4424-8E77-C08801F1EA61}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{93AA1CB6-383A-49EF-B197-D31B4D577B90}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"Hook",HKEY_CLASSES_ROOT,"\","Httpcmd","CLSID\={4924E02A-C3A1-43ED-9EF2-28B8222039CC}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{93AA1CB6-383A-49EF-B197-D31B4D577B90}"
RegyValue (http://wiki.spybot.info/index.php/RegyValue):"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad","Proftab","Proftab={8F3CA4AA-CD58-4424-8E77-C08801F1EA61}"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\xmlv2.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=1052672,md5 (http://wiki.spybot.info/index.php/Md5)=A76C36A1BAA095A6D4C8A0E95582C089"
File (http://wiki.spybot.info/index.php/File):"<$FILE_EXE>","<$SYSDIR>\svrxp.exe","filesize (http://wiki.spybot.info/index.php/Filesize)=1552384,md5 (http://wiki.spybot.info/index.php/Md5)=7F02BE43B8759FA66BAA347FC22DC04B,setenv (http://wiki.spybot.info/index.php/Setenv)=eblaster5:yes"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\ipxstyle.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=761856,md5 (http://wiki.spybot.info/index.php/Md5)=3AEBF1E8EC43169D23B710CB69DFC807"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\ipnt.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=43998,md5 (http://wiki.spybot.info/index.php/Md5)=85CED0C1CE0F1367651A89E98743618E"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\camohcmp32.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=114578,md5 (http://wiki.spybot.info/index.php/Md5)=0C943CA64C083C6A205D71C06706B62F"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\calv32.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=577536,md5 (http://wiki.spybot.info/index.php/Md5)=53D9A64B4A60118915DBC96BEF49383A"
Directory (http://wiki.spybot.info/index.php/Directory):"<$DIR_APPDATA>","<$SYSDIR>\logmidi","isenv (http://wiki.spybot.info/index.php/Isenv)=eblaster5"A detailed explanation on how one would go ahead to create this detection is available on the wiki link above; in this example we just used InCtrl5 and the OpenSBI editor.
Examples:Spectorsoft eBlaster 5 (Keylogger) (http://wiki.spybot.info/index.php/Examples:Spectorsoft_eBlaster_5_%28Keylogger%29)
// info: OpenSBI example
// author: Patrick M. Kolla (PepiMK)
// date: 2008-05-23 (1.6)
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.
// count: 14
:: Spectorsoftware.eBlaster.5
// {Cat:Keylogger}{Cnt:1}
// {Det:patrick,2008-05-23}
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{2BE166ED-F16C-46de-B623-3575FD9B5D6D}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{4924E02A-C3A1-43ED-9EF2-28B8222039CC}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{8F3CA4AA-CD58-4424-8E77-C08801F1EA61}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{93AA1CB6-383A-49EF-B197-D31B4D577B90}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"Hook",HKEY_CLASSES_ROOT,"\","Httpcmd","CLSID\={4924E02A-C3A1-43ED-9EF2-28B8222039CC}"
RegyKey (http://wiki.spybot.info/index.php/RegyKey):"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{93AA1CB6-383A-49EF-B197-D31B4D577B90}"
RegyValue (http://wiki.spybot.info/index.php/RegyValue):"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad","Proftab","Proftab={8F3CA4AA-CD58-4424-8E77-C08801F1EA61}"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\xmlv2.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=1052672,md5 (http://wiki.spybot.info/index.php/Md5)=A76C36A1BAA095A6D4C8A0E95582C089"
File (http://wiki.spybot.info/index.php/File):"<$FILE_EXE>","<$SYSDIR>\svrxp.exe","filesize (http://wiki.spybot.info/index.php/Filesize)=1552384,md5 (http://wiki.spybot.info/index.php/Md5)=7F02BE43B8759FA66BAA347FC22DC04B,setenv (http://wiki.spybot.info/index.php/Setenv)=eblaster5:yes"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\ipxstyle.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=761856,md5 (http://wiki.spybot.info/index.php/Md5)=3AEBF1E8EC43169D23B710CB69DFC807"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\ipnt.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=43998,md5 (http://wiki.spybot.info/index.php/Md5)=85CED0C1CE0F1367651A89E98743618E"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\camohcmp32.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=114578,md5 (http://wiki.spybot.info/index.php/Md5)=0C943CA64C083C6A205D71C06706B62F"
File (http://wiki.spybot.info/index.php/File):"<$FILE_LIBRARY>","<$SYSDIR>\calv32.dll","filesize (http://wiki.spybot.info/index.php/Filesize)=577536,md5 (http://wiki.spybot.info/index.php/Md5)=53D9A64B4A60118915DBC96BEF49383A"
Directory (http://wiki.spybot.info/index.php/Directory):"<$DIR_APPDATA>","<$SYSDIR>\logmidi","isenv (http://wiki.spybot.info/index.php/Isenv)=eblaster5"A detailed explanation on how one would go ahead to create this detection is available on the wiki link above; in this example we just used InCtrl5 and the OpenSBI editor.