Code:
:: New Malware v7 optimized
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-05-20}
// Adware.MyWebSearch:
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{4D25F926-B9FE-4682-BF72-8AB8210D6D75}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4D25F921-B9FE-4682-BF72-8AB8210D6D75}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4D25F921-B9FE-4682-BF72-8AB8210D6D75}"
// Malware.Dorf-F:
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\pavuppad.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\pavuppad.exe"
// Trojan.Agent:
AutoRun:"7925","<SYSDRIVE>\jlopfmwe.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","7925"
File:"<$FILE_EXE>","<SYSDRIVE>\jlopfmwe.exe"
// Diese Zeile hat mir OpenSBI nicht übernommen, Trojan.Agent lässt grüßen:
//O4 - HKUS\S-1-5-21-3031035185-3962549328-3735105361-1008\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Rani Kleyn')
// Trojan.Dropper:
// Diese Zeilen hat mir OpenSBI wieder nicht übernommen; der Dateiname "adptifv.exe" ist zufällig:
//O4 - HKUS\S-1-5-21-3031035185-3962549328-3735105361-1008\..\Run: [UpdateWin] C:\WINDOWS\system32\adptifv.exe (User 'Rani Kleyn')
//O4 - HKUS\S-1-5-21-3031035185-3962549328-3735105361-1008\..\RunServices: [UpdateWin] C:\WINDOWS\system32\adptifv.exe (User 'Rani Kleyn')
// Trojan.Ertfor.A:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a6c7b2a1-00f3-42bd-f434-00aaba2c8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a6c7b2a1-00f3-42bd-f434-00aaba2c8953}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C2BA40A1-74F3-42BD-F434-12345A2C8953}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","sdfsefsfdvdubgiungfuyd","sdfsefsfdvdubgiungfuyd={C2BA40A1-74F3-42BD-F434-12345A2C8953}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","hasf8h3rfijfn98gf9iar","hasf8h3rfijfn98gf9iar={A6C7B2A1-00F3-42BD-F434-00AABA2C8953}"
File:"<$FILE_LIBRARY>","<SYSDIR>\tya7hfd873f.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\afnoinkdsfe.dll"
// Trojan.Virtumonde:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01A36141-A7F5-4200-892A-0B82CF64C83C}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01A36141-A7F5-4200-892A-0B82CF64C83C}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F8321A66-C23F-4363-8CC9-E02A8C2BD86F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F8321A66-C23F-4363-8CC9-E02A8C2BD86F}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{3fd5f344-4e93-4c64-a7d1-0ff38ee526a4}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{3fd5f344-4e93-4c64-a7d1-0ff38ee526a4}"
AutoRun:"*","<$SYSDIR>\bibamefe.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","reyamuweve"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hafurive.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\btpanui32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bovijogu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rihepata.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ac96fc64583","DllName=<$SYSDIR>\btpanui32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0075F39","DllName=<$SYSDIR>\__c0075F39.dat"
File:"<$FILE_EXE>","<$SYSDIR>\bibamefe.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\hafurive.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\btpanui32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\btpanui32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\__c0075F39.dat"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\bovijogu.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\rihepata.dll"
// Folgende Zeile wird von OpenSBI nicht übernommen, Virtumonde lässt grüßen:
// O4 - HKUS\S-1-5-19\..\Run: [vukerivite] Rundll32.exe "C:\WINDOWS\system32\nekidayi.dll",s (User 'LOCAL SERVICE')
//Trojan.WinFixer:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0B6E16E7-4DB7-406F-9A74-C3128B24923E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0B6E16E7-4DB7-406F-9A74-C3128B24923E}"
// Trojan.Unknown 1:
// Bin mir nicht sicher, ob dieser Datei "gut" ist; glaube eher nicht:
// RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","tuvuuss","DllName=<$SYSDIR>\tuvuuss.dll"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\tuvuuss.dll"
// Trojan.Unknown 2:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{54CBB12C-3481-4C5D-942D-4976C0F0A406}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{54CBB12C-3481-4C5D-942D-4976C0F0A406}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C6D7FD08-AA2E-4085-AF83-D5D9844F3422}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C6D7FD08-AA2E-4085-AF83-D5D9844F3422}"
New Malware v7 optimized
Reply With Quote