Code:
:: New Malware v101
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-15}
// Malware.Fraud.AntivirusSuitePlatinum:
AutoRun:"avsuite","<$PROGRAMFILES>\Antivirus Suite Platinum\avsuite.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","avsuite"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Antivirus Suite Platinum\avsuite.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Antivirus Suite Platinum"
// Trojan.Agent:
// AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","C:\DOCUME~1\CAITLI~1\LOCALS~1\Temp\spoolsv.exe","flagifnofile=1"
AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","<$LOCALSETTINGS>\Temp\spoolsv.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf87efjhdsf87f3jfsdi7fhsujfd"
// File:"<$FILE_EXE>","C:\DOCUME~1\CAITLI~1\LOCALS~1\Temp\spoolsv.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\spoolsv.exe"
// Folgende Prozesse fanden sich zudem im HijackThis Logfile:
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\lsass.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\taskmgr.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\system.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\winlogon.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\services.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\csrss.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\svchost.exe"
// Zudem war Regedit deaktiviert:
// O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
RegyValue:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Policies\System\","DisableRegedit"
// Trojan.FakeAlert.ttam(1):
// Siehe z. B. auch hier: http://labs.kaphasoft.com/tag/fdmw-pvo
// Dass ihr von diesem Trojaner nicht mehr aufnehmen könnt? Dass ihr da nicht mehr samples habt als das eine vom letzten Mal? Komisch...
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe fdmw.pvo lnjltg"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","fdmw.pvo*"
File:"<$FILE_DATA>","<$SYSDIR>\fdmw.pvo"
// Trojan.FakeAlert.ttam(2):
// Siehe auch hier: http://www.superantispyware.com/malwarefiles/CSBDLL.DLL.html
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","csbdll","DllName=csbdll.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\csbdll.dll"
// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=gzp8xcc.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gzp8xcc.dll"
BrowserHelperEx:"*","filename=yesubowe.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5222b404-2dd3-4077-991a-9c0dd8bdd57d}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5222b404-2dd3-4077-991a-9c0dd8bdd57d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yesubowe.dll"
// AutoRun:"wvtrpqsys","rundll32.exe "cbxvuu.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\cbxvuu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wvtrpqsys"
// File:"<$FILE_EXE>","rundll32.exe "cbxvuu.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cbxvuu.dll"
// AutoRun:"tutsspdrv","rundll32.exe "vtuvvu.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\vtuvvu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tutsspdrv"
// File:"<$FILE_EXE>","rundll32.exe "vtuvvu.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vtuvvu.dll"
// AutoRun:"Bzihul","rundll32.exe "C:\WINDOWS\eligifop.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\eligifop.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Bzihul"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\eligifop.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\eligifop.dll"
// AutoRun:"Qpefameteqa","rundll32.exe "c:\windows\evuluwaruyumogav.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\evuluwaruyumogav.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Qpefameteqa"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\evuluwaruyumogav.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\evuluwaruyumogav.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","akAWJuMVt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\akAWJuMVt.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\funamidu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\funamidu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","puyinohe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\puyinohe.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","dipinodo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dipinodo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","zuyinuni.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zuyinuni.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","hilufalu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hilufalu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","tivorema.dll "
File:"<$FILE_LIBRARY>","<$SYSDIR>\tivorema.dll "
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","qoMcbayA","DllName=qoMcbayA.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qoMcbayA.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","vtUkjjkJ","DllName=vtUkjjkJ.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vtUkjjkJ.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yogamawas","yogamawas={86e3a10f-da0a-46d7-9d86-61237074e395}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\funamidu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={86e3a10f-da0a-46d7-9d86-61237074e395}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\funamidu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","hasiufhiusdfjdhfudd","hasiufhiusdfjdhfudd={A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gzp8xcc.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","hasiufhiusdfjdhfudd","hasiufhiusdfjdhfudd={A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
// Trojan.Virtumonde(2):
// Aus einem Logfile von DDS:
File:"<$FILE_EXE>","<$SYSDIR>\yohiliwa.exe"
File:"<$FILE_EXE>","<$SYSDIR>\nimijere.exe"
File:"<$FILE_EXE>","<$SYSDIR>\lipewedi.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yesubowe.dll"
File:"<$FILE_EXE>","<$SYSDIR>\rihefiso.exe"
File:"<$FILE_EXE>","<$SYSDIR>\wahihevi.exe"
File:"<$FILE_EXE>","<$SYSDIR>\dohofusa.exe"
File:"<$FILE_DATA>","<$WINDIR>\Tasks\aqlfujij.job"
File:"<$FILE_DATA>","<$WINDIR>\Tasks\mqvlspta.job"
File:"<$FILE_DATA>","<$WINDIR>\Tasks\ooslprxv.job"
File:"<$FILE_DATA>","<$WINDIR>\Tasks\sejgbrju.job"
File:"<$FILE_DATA>","<$WINDIR>\Tasks\snufbkxr.job"
File:"<$FILE_LIBRARY>","<$SYSDIR>\viruwuyo.dll"
New Malware v101
Reply With Quote