Results 1 to 4 of 4

Thread: Detection for Rogue.Antivirus2008

  1. 2008-07-25, 13:11 #1
    NJones
    NJones is offline
    Junior Member NJones's Avatar
    Join Date
    Jul 2008
    Posts
    0

    Default Detection for Rogue.Antivirus2008

    Hi guys,
    I just have read that there are a lot of users having problems with Antivirus2008 that is not detected by Spybot yet.
    So I tried to create some detection rules with the Spybot OpenSBI Editor. I am not sure if I did everything right so I will publish it here:

    Code:
    :: Rogue.Antivirus2008
// {Cat:Malware}{Cnt:1}
// {Det:N.Jones,2008-07-25}
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","rhc553j0e9cv"
UninstallByKey:"rhc553j0e9cv","0"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\","AntivirXP08"
AutoRun:"SMrhc553j0e9cv","<$PROGRAMFILES>\rhc553j0e9cv\rhc553j0e9cv.exe","filesize>=6000000,filesize<=15000000"
StartmenuItem:"Antivirus XP 2008.lnk","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=1,filesize<=5000"
StartmenuItem:"How to Register Antivirus XP 2008.lnk","filesize>=1,filesize<=5000"
StartmenuItem:"License Agreement.lnk","<$PROGRAMFILES>\rhc553j0e9cv\license.txt","filesize>=1,filesize<=5000"
StartmenuItem:"Register Antivirus XP 2008.lnk","filesize>=1,filesize<=5000"
StartmenuItem:"Uninstall.lnk","<$PROGRAMFILES>\rhc553j0e9cv\Uninstall.exe","filesize>=1,filesize<=5000"
File:"<$FILE_DATA>","<$PROGRAMFILES>\rhc553j0e9cv\database.dat","filesize>=1000,filesize<=3000"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\rhc553j0e9cv\license.txt","filesize=19052,md5=A4CEABD89CABE614F390DD8C7E1B26D2"
File:"<$FILE_EXE>","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=600000,filesize<=20000000"
File:"<$FILE_DATA>","<$PROGRAMFILES>\rhc553j0e9cv\rhc553j0e9cv.exe.local","filesize<=1"
DesktopIcon:"Antivirus XP 2008.lnk","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=1,filesize<=5000"
QuickLaunchIcon:"Antivirus XP 2008.lnk","<$PROGRAMFILES>\rhc553j0e9cv\*.exe","filesize>=1,filesize<=5000"
File:"<$FILE_EXE>","<$SYSDIR>\*.exe","filesize=94208,md5=CE2A2A5A6F1E7A5D6FA31F5277EAB9AB"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKCU","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKCU\RunOnce","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKLM","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\HKLM\RunOnce","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\StartMenuAllUsers","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun\StartMenuCurrentUser","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Autorun","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\BrowserObjects","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine\Packages","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv\Quarantine","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$APPDATA>\rhc553j0e9cv","filename=<$PROGRAMFILES>\rhc553j0e9cv\database.dat"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\rhc553j0e9cv","filename=database.dat"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\Antivirus XP 2008"
DownloadFile:"*.exe","filesize=1394196,md5=C5B6DD099BCEAAC80510BEADDF1C0312"
    Maybe somebody can have a look on it and give me some feedback

    regards,
    N.Jones
    Last edited by NJones; 2008-07-25 at 13:16.
  2. 2008-07-25, 14:13 #2
    Buster
    Buster is offline
    Member of Team Spybot Buster's Avatar
    Join Date
    Oct 2005
    Location
    Bochum/Germany
    Posts
    389

    Default

    Welcome NJones and thanks for sharing these detection rules. Looks quite good so far. But I guess this ID "rhc553j0e9cv" isn't static. Can you send these files to detections@spybot.info?
    "The advantage of wisdom is that you can always act the fool. The opposite is quite tough."

    K. Tucholsky

    _______________________________________________________________

    Please help us improve Spybot and download our distributed testing client.
  3. 2008-07-25, 20:50 #3
    NJones
    NJones is offline
    Junior Member NJones's Avatar
    Join Date
    Jul 2008
    Posts
    0

    Default

    Hello Buster,
    I just sent the files to the email adress you mentioned. Before I made my detection rules I installed the samples twice in a virtual machine. Both times the ID was the same but I am quite sure that it will change soon. Is there a way to use wildcards for directories? Or is there another way how I could detect this stuff without using the static name? Additionally I am not sure if I used the startmenu rules in a correct syntax (Is it correctly to use the filerange on that way?)

    I am looking forward to hear from you

    regards,
    N.Jones
  4. 2008-07-29, 15:21 #4
    MisterW
    MisterW is offline
    Retired
    Join Date
    Oct 2005
    Posts
    566

    Default

    Hello N.Jones
    If you used the same vmware for both of your tests that could be the reason why the name of the directories was the same.
    The filerange you used for your startmenu rules is very big. I think it should be ok to use a smaller one. But the syntax is correct.

    regards,
    Markus
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules