Results 1 to 3 of 3

Thread: New Malware v5 improved

  1. #1
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default New Malware v5 improved

    optimized detection rules for Team Spybot
    Category: Trojan
    Code:
    :: New Malware v5 improved
    // Revision 1
    // {Cat:Trojan}{Cnt:1}
    // {Det:Matt,2009-05-15}
    
    // Die Datei internat.exe von Windows befindet sich im Ornder system32 !!
    // Troj/Lydra-F:
    AutoRun:"internat","<$WINDIR>\internat.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","internat"
    File:"<$FILE_EXE>","<$WINDIR>\internat.exe"
    
    // W32.Aimdes.B Worm:
    AutoRun:"SYS32DLL","SYS32DLL","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SYS32DLL"
    File:"<$FILE_EXE>","SYS32DLL"
    
    // Adware.AdRotator:
    //BrowserHelperEx:"adssite","flagfile=1"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{d2664ebb-ee0a-0693-81bc-b9f05f0b0c13}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{d2664ebb-ee0a-0693-81bc-b9f05f0b0c13}"
    
    // Trojan:Win32/Ertfor.A
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
    AutoRun:"autochk","<$SYSDIR>\autochk.dll","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","autochk"
    File:"<$FILE_EXE>","<$SYSDIR>\autochk.dll"
    AutoRun:"autochk","<$LOCALSETTINGS>\protect.dll","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","autochk"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\protect.dll"
    
    // Trojan.Agent, die letzten drei Buchstaben des Dateinamen sind zufällig, daher habe ich beim ersten Eintrag anstatt "48" drei Sternchen gewählt:
    AutoRun:"Hotfix-KB5504305","<$SYSDIR>\rundll*.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Hotfix-KB5504305"
    File:"<$FILE_EXE>","<$SYSDIR>\rundll48.exe"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Hotfix-KB5504305"
    
    // Trojan.Dropper, CLSID ist zufällig!!:
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\Protocols\Filter\","text/html","CLSID={********-****-****-****-************}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\dsound3dd.dll"
    
    // Virtumonde:
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{57049016-abee-46e3-8078-af54e8b923b7}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{57049016-abee-46e3-8078-af54e8b923b7}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{37113941-f025-4a5f-9552-2a649db45b2e}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{37113941-f025-4a5f-9552-2a649db45b2e}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8e0e651f-50c6-49ba-9f39-943b1cddbde1}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8e0e651f-50c6-49ba-9f39-943b1cddbde1}"
    //BrowserHelperEx:"{69936232-80b2-5d0a-fef4-927ed56d538a}","flagfile=1"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a835d65d-e729-4fef-a0d5-2b0823263996}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a835d65d-e729-4fef-a0d5-2b0823263996}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{bf58be34-47c6-4b8b-84e3-f401fae73864}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{bf58be34-47c6-4b8b-84e3-f401fae73864}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{bfd12117-ea21-48c1-ae5f-ba3ead6e238e}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{bfd12117-ea21-48c1-ae5f-ba3ead6e238e}"
    //BrowserHelperEx:"{ac940494-3e8d-bcab-6ff4-b221d98a62d4}","flagfile=1"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4d26a89d-122b-4ff6-bacb-d8e3494049ca}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4d26a89d-122b-4ff6-bacb-d8e3494049ca}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a50cc7d6-fe12-4731-a173-d8645ee9b928}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a50cc7d6-fe12-4731-a173-d8645ee9b928}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0624A090-5F6C-4C22-BE65-257EA19DF66e}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0624A090-5F6C-4C22-BE65-257EA19DF66e}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{45F516EF-C127-4BA0-8C4A-57CAC3EF413D}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{45F516EF-C127-4BA0-8C4A-57CAC3EF413D}"
    //BrowserHelperEx:"<$SYSDIR>\afnoinkdsfe.dll","flagfile=1"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{f9328a9a-e18c-478e-b89b-bc896a7c9b6e}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{f9328a9a-e18c-478e-b89b-bc896a7c9b6e}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6be51ef0-2f9f-4040-8603-0c5563bc2b84}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6be51ef0-2f9f-4040-8603-0c5563bc2b84}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{223bc51b-65af-483d-a152-d0e0b74628c6}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{223bc51b-65af-483d-a152-d0e0b74628c6}"
    //BrowserHelperEx:"<$SYSDIR>\yhs783ijfo3fe.dll","flagfile=1"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{b2ba40a2-74f0-42bd-f434-12345a2c8953}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{b2ba40a2-74f0-42bd-f434-12345a2c8953}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{393b4588-eb00-40fa-819d-5d3369b72b1d}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{393b4588-eb00-40fa-819d-5d3369b72b1d}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{97BCD40C-98F3-4B3F-A7D8-954AFCF5D3B9}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{97BCD40C-98F3-4B3F-A7D8-954AFCF5D3B9}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C80CD2BB-D729-4AD9-A182-9B0EA9B00360}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C80CD2BB-D729-4AD9-A182-9B0EA9B00360}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D5F4C762-F161-4B0E-A29E-FCF811937B9E}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D5F4C762-F161-4B0E-A29E-FCF811937B9E}"
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SSODL","SSODL={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{33346FF9-BBF4-4250-80D7-A6D0E9C6EC35}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{33346FF9-BBF4-4250-80D7-A6D0E9C6EC35}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4BEBF74A-42B6-4F1B-A1E1-C058FB4F152b}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4BEBF74A-42B6-4F1B-A1E1-C058FB4F152b}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{93744D69-6EB2-4082-8095-F328BF6994F6}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{93744D69-6EB2-4082-8095-F328BF6994F6}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{E4AF23CA-3256-4B08-9CCB-6AB104BAEE8b}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{E4AF23CA-3256-4B08-9CCB-6AB104BAEE8b}"
    //BrowserHelperEx:"<$SYSDIR>\afnoinkdsfe.dll","flagfile=1"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{038ACA2F-16F3-4B4A-B905-ED3F17C22C7c}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{038ACA2F-16F3-4B4A-B905-ED3F17C22C7c}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{21F0578D-EED7-4F18-A04D-901E866FD9DF}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{21F0578D-EED7-4F18-A04D-901E866FD9DF}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{232D2677-68EE-4FA1-B988-279EBC8969ED}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{232D2677-68EE-4FA1-B988-279EBC8969ED}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{96403BCF-73C3-40C1-8867-AECB77078B25}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{96403BCF-73C3-40C1-8867-AECB77078B25}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{AB9C44D8-4752-4BFC-97E0-612B61A878B3}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{AB9C44D8-4752-4BFC-97E0-612B61A878B3}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{B0D8EED5-12DE-4837-8797-4847471A2014}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B0D8EED5-12DE-4837-8797-4847471A2014}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C0B3DCB7-925D-46F4-9BAA-7A7420FDE186}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C0B3DCB7-925D-46F4-9BAA-7A7420FDE186}"
    
    AutoRun:"*","<$SYSDIR>\sevayija.dll","flagifnofile=0"
    AutoRun:"prnet","<$SYSDIR>\prnet.tmp","flagifnofile=1"
    AutoRun:"CPM*","<$SYSDIR>\lehevusa.dll","flagifnofile=1"
    AutoRun:"*","<$SYSDIR>\yejedotu.dll","flagifnofile=0"
    AutoRun:"*","<$SYSDIR>\nuhakiko.dll","flagifnofile=0"
    AutoRun:"CPM*","<$SYSDIR>\guluzemu.dll","flagifnofile=1"
    AutoRun:"*","<$SYSDIR>\vezowolu.dll","flagifnofile=0"
    AutoRun:"*","<$SYSDIR>\dubavalu.dll","flagifnofile=0"
    AutoRun:"*","<$SYSDIR>\yovalono.dll","flagifnofile=0"
    AutoRun:"CPM*","<$SYSDIR>\bofuwike.dll","flagifnofile=1"
    AutoRun:"*","<$SYSDIR>\rewagiki.dll","flagifnofile=0"
    AutoRun:"CPM*","<$SYSDIR>\bivakiru.dll","flagifnofile=1"
    AutoRun:"*","<$SYSDIR>\kegakise.dll","flagifnofile=1"
    
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wuhelufizo"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","prnet"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPMb713b0db"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","b4208347"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kigobekoha"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPMf7256025"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","f41653b9"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jukaveraki"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","2cee2ecf"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM2fdd1d53"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","pijupakapa"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM13cf6fdb"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tevobiribe"
    
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","prnet"
    
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tenejepu.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pufivaha.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\gakikedo.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\lehevusa.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tadupele.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kawolumi.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\jarizasu.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bofuwike.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yukikono.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\jiligija.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bivakiru.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wipoveku.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bonafefa.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bizuzuti.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kajovofu.dll"
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vajarusu.dll"
    
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","akgqpynq","DllName=<$SYSDIR>\hezgzdm.dll"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c006610E","DllName=<$SYSDIR>\__c006610E.dat"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","oczafztk","DllName=<$SYSDIR>\mtmuwhf.dll"
    
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SSODL","SSODL={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
    
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","STS","STS={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","sdfsefsfdvdubgiungfuyd","sdfsefsfdvdubgiungfuyd={C2BA40A1-74F3-42BD-F434-12345A2C8953}"
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jso8joigm409gopgmrlgd","jso8joigm409gopgmrlgd={B2BA40A2-74F0-42BD-F434-12345A2C8953}"
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","STS","STS={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","sdfsefsfdvdubgiungfuyd","sdfsefsfdvdubgiungfuyd={C2BA40A1-74F3-42BD-F434-12345A2C8953}"
    
    File:"<$FILE_EXE>","<$SYSDIR>\sevayija.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\prnet.tmp"
    File:"<$FILE_EXE>","<$SYSDIR>\lehevusa.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\yejedotu.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\nuhakiko.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\guluzemu.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\vezowolu.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\dubavalu.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\yovalono.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\bofuwike.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\rewagiki.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\bivakiru.dll"
    File:"<$FILE_EXE>","<$SYSDIR>\kegakise.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\tenejepu.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\pufivaha.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\gakikedo.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\lehevusa.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\tadupele.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\kawolumi.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\bofuwike.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\yukikono.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\jarizasu.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\jiligija.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\bivakiru.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\wipoveku.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\bonafefa.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\bizuzuti.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\kajovofu.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\vajarusu.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\lehevusa.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\lehevusa.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\guluzemu.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\guluzemu.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\hezgzdm.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\kawolumi.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\afnoinkdsfe.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\kawolumi.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\bofuwike.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\bofuwike.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\yhs783ijfo3fe.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\bivakiru.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\__c006610E.dat"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\afnoinkdsfe.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\mtmuwhf.dll"
    
    // You NEED the name of this LSP and use it with Winsock, do NOT just use this file command!
    // Winsock:"ntdll64.dll","0"
    //Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
    
    // Unbekannter Trojaner, wahrscheinlich Virtumonde:
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{B585F945-4782-4863-A3E7-27C02D4C4929}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B585F945-4782-4863-A3E7-27C02D4C4929}"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D810B78A-D010-44DF-8445-AC58086B600E}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D810B78A-D010-44DF-8445-AC58086B600E}"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","cbXOHWPf","DllName=<$SYSDIR>\cbXOHWPf.dll"
    RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","mlJAqqRL","DllName=<$SYSDIR>\mlJAqqRL.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\cbXOHWPf.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\mlJAqqRL.dll"
    Downloads: 0Rating: 5 (rated by 1 user)

  2. #2
    Member of Team Spybot roberto's Avatar
    Join Date
    Oct 2005
    Posts
    59

    Default

    Hi Matt,

    bitte pruefe einmal die Regel/
    please check the following rule:

    Code:
    File:"<$FILE_EXE>","SYS32DLL"
    Dem File ist kein Pfad zugeordnet, zudem fehlt die Dateiendung/
    There is no file path or file extension specified.

    Kind regards,
    Roberto.
    Please help us improving Spybot and download our distributed testing client.

  3. #3
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Hi Roberto,

    for your information:
    you can find more information here and here.

    I'll try to do my best to avoid such mistakes with the next files and I hope that TeamSpybot can use some of these detection rules.
    Best regards - Beste Grüße,

    Matt

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •