Results 1 to 3 of 3

Thread: Virtumonde

  1. #1
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default Virtumonde

    More Vundo for you...
    Category: Trojan
    Code:
    :: Virtumonde
    // Revision 1
    // {Cat:Test}{Cnt:1}
    // {Det:Matt,2009-05-02}
    
    // Choose the BrowserHelperEx variant to flag the file as well, unless name is "(no name)".
    //BrowserHelperEx:"(no name)","flagfile=1"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2eda6cef-a401-421d-af32-a25059ef9624}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2eda6cef-a401-421d-af32-a25059ef9624}"
    // The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
    AutoRun:"2cc32117","<$SYSDIR>\bumokoju.dll","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","2cc32117"
    File:"<$FILE_EXE>","<$SYSDIR>\bumokoju.dll"
    // The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
    AutoRun:"CPM2ff0128b","<$SYSDIR>\mumonuwi.dll","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM2ff0128b"
    File:"<$FILE_EXE>","<$SYSDIR>\mumonuwi.dll"
    // The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
    AutoRun:"fahukupeke","<$SYSDIR>\visujowo.dll","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fahukupeke"
    File:"<$FILE_EXE>","<$SYSDIR>\visujowo.dll"
    // Adjust parameters to remove only bad libraries!
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mumonuwi.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\diyohobe.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\mumonuwi.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\diyohobe.dll"
    // 
    RegyValue:"<description>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SSODL","SSODL={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\mumonuwi.dll"
    // 
    RegyValue:"<description>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","STS","STS={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\mumonuwi.dll"
    
    // Choose the BrowserHelperEx variant to flag the file as well, unless name is "(no name)".
    //BrowserHelperEx:"(no name)","flagfile=1"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{fe3a801d-ec23-48e1-ac7a-ba081d254ea9}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{fe3a801d-ec23-48e1-ac7a-ba081d254ea9}"
    // The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
    AutoRun:"kapopejizo","<$SYSDIR>\nevibuni.dll","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kapopejizo"
    File:"<$FILE_EXE>","<$SYSDIR>\nevibuni.dll"
    // The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
    AutoRun:"28dcd41b","<$SYSDIR>\wukoraga.dll","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","28dcd41b"
    File:"<$FILE_EXE>","<$SYSDIR>\wukoraga.dll"
    // The AutoRun command flags both in one line and looks in multiple locations; another advantage may be in flagifnofile=1
    AutoRun:"CPM2befe787","<$SYSDIR>\yogukezo.dll","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM2befe787"
    File:"<$FILE_EXE>","<$SYSDIR>\yogukezo.dll"
    // Adjust parameters to remove only bad libraries!
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vitetija.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yogukezo.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\daharubo.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kemuboti.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\vitetija.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\yogukezo.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\daharubo.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\kemuboti.dll"
    //
    RegyValue:"<description>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SSODL","SSODL={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\kemuboti.dll"
    Downloads: 0Rating: 15 (rated by 2 users)
    Last edited by MisterW; 2009-05-06 at 09:39.

  2. #2
    Member of Team Spybot roberto's Avatar
    Join Date
    Oct 2005
    Posts
    59

    Default

    Hallo Matt,

    with a german paragraph:

    > AutoRun:"2cc32117","<$SYSDIR>\bumokoju.dll","flagifnofile=1"

    If "2cc32117" is a variable name field, a generic approach would be better.

    Code:
    AutoRun:"*","<$SYSDIR>\bumokoju.dll","filesize>0"
    Because of the asterisk wildcard (*) in the name field, I discarded for safety reasons the "flagifnofile" parameter.

    1)
    > File:"<$FILE_LIBRARY>","<$SYSDIR>\mumonuwi.dll"
    > File:"<$FILE_LIBRARY>","<$SYSDIR>\mumonuwi.dll"
    2)
    > File:"<$FILE_WEBPAGE>","<$SYSDIR>\kemuboti.dll"
    > File:"<$FILE_LIBRARY>","<$SYSDIR>\kemuboti.dll"


    Dupes. Always the first rule triggers and alerts with the descripton used in the rule. In the second case the triggering rule would inform with a "$FILE_WEBPAGE" message.

    Kind regards,
    Roberto.

    --

    Wenn "2cc32117" ein variabler Name ist, dann empfiehlt sich die Verwendung von Wildcards, um alle Fälle abzudecken.

    Wegen des Sternchens wird der flagifnofile Parameter entfernt.

    Dopplungen sind nicht schlimm, können aber die Scanzeit erhöhen.
    Im zweiten Fall würde die erste der beiden Regeln die Datei finden und dann eine $FILE_WEBPAGE melden.

    Gruesse,
    Roberto.
    Please help us improving Spybot and download our distributed testing client.

  3. #3
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Hallo Roberto,

    leider kann ich kaum sagen, ob es sich bei einer Dateienbezeichnung um variable Namen handelt oder nicht.

    Best regards - Beste Grüße,

    Matt

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •