detection rules for the following Malware:
  • Adware.Gamevance
  • Trojan.Agent
  • Trojan.BHO
  • Trojan.Downloader
  • Trojan.FakeAlert
  • Trojan.Virtumonde
Category: Trojan
Code:
:: New Malware v8
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-05-23}

// Adware.Gamevance:
//BrowserHelperEx:"Gamevance","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}"

// Trojan.Agent:
// BrowserHelperEx:"CDNSCacheObj Object","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{376892AE-1825-4E5F-9F85-23F9640051CC}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{376892AE-1825-4E5F-9F85-23F9640051CC}"

// Trojan.BHO:
// BrowserHelperEx:"Microsoft copyright","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}"

// Trojan.Downloader:
AutoRun:"Cognac","<$LOCALSETTINGS>\Temp\2207.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cognac"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\2207.exe"

// Trojan.FakeAlert:
// BrowserHelperEx:"XML module","flagfile=1"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{500BCA15-57A7-4eaf-8143-8C619470B13D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{500BCA15-57A7-4eaf-8143-8C619470B13D}"

// Trojan.Downloader
Downloads: 8Rating: 25 (rated by 2 users)