I've collected detection rules for the following Malware:
  • Adware.EliteBar
  • Adware.IEPlugin
  • Adware.TecentAdressBar
  • Malware.Fraud.YourProtection
  • Malware.Mirar
  • Spyware.FakeAdobeUpdater
  • Spyware.Spynet(2)
  • Trojan.Agent
  • Trojan.DelfInjekt
  • Trojan.Downloader
  • Trojan.FakeAlert.ttam(2)
  • Trojan.IRCBot
  • Trojan.Virtumonde
Category: Trojan
Code:
:: New Malware v102
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-18}


// Adware.EliteBar:
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/12589-pokapoka79_exe.html
// Dateiname und Name des Autostartes fest!
AutoRun:"System service79","<$WINDIR>\etb\pokapoka79.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","System service79"
File:"<$FILE_EXE>","<$WINDIR>\etb\pokapoka79.exe"
Directory:"<$DIR_PROG>","<$WINDIR>\etb","filename=pokapoka79.exe"


// Adware.IEPlugin:
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/14256-pxckdla_exe.html
// Dateiname und Name des Autostarts fest!
AutoRun:"Win Server Updt","<$WINDIR>\pxckdla.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Win Server Updt"
File:"<$FILE_EXE>","<$WINDIR>\pxckdla.exe"


// Adware.TecentAdressBar:
// Siehe bitte auch hier: http://www.systemlookup.com/CLSID/34224-IEBar_dll.html
BrowserHelperEx:"QQ*","filename=IEBar.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{29CF293A-1E7D-4069-9E11-E39698D0AF95}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{29CF293A-1E7D-4069-9E11-E39698D0AF95}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{29CF293A-1E7D-4069-9E11-E39698D0AF95}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Tencent\QQToolbar\IEBar.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Tencent\QQToolbar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Tencent"


// Malware.Fraud.YourProtection:
// AutoRun:"cls_pack.exe","C:\DOCUME~1\AMYCHO~1\LOCALS~1\Temp\cls_pack.exe","flagifnofile=1"
AutoRun:"cls_pack.exe","<$LOCALSETTINGS>\Temp\cls_pack.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","cls_pack.exe"
// File:"<$FILE_EXE>","C:\DOCUME~1\AMYCHO~1\LOCALS~1\Temp\cls_pack.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\cls_pack.exe"


// Malware.Mirar:
BrowserHelperEx:"Mirar","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{535D9FF3-73B1-40C2-BB9A-E6F84369BBC9}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{535D9FF2-73B1-40C2-BB9A-E6F84369BBC9}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{535D9FF3-73B1-40C2-BB9A-E6F84369BBC9}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\3278.dll"


// Spyware.FakeAdobeUpdater:
// Neue Variante!
// Bin mir nicht sicher, ob vor dem Autorun auch ein Sternchen (wie am Ende) gehört
// Siehe auch bitte hier: http://forums.techguy.org/malware-removal-hijackthis-logs/917181-hjt-log-fixing-gfs-laptop.html
// AutoRun:"Msset","rundll32.exe "C:\Users\Owner\AppData\Roaming\Adobe\Update\inxret.dat""","flagifnofile=1"
AutoRun:"Msset","<$APPDATA>\Roaming\Adobe\Update\inxret.dat*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Msset"
// File:"<$FILE_EXE>","rundll32.exe "C:\Users\Owner\AppData\Roaming\Adobe\Update\inxret.dat"""
File:"<$FILE_DATA>","<$APPDATA>\Roaming\Adobe\Update\inxret.dat"


// Spyware.Spynet(1):
// Neue Variante?
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Windows\system32\MSOffice\update.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Windows\system32\MSOffice\update.exe
AutoRun:"Policies","<$SYSDIR>\MSOffice\update.exe","flagifnofile=1"
AutoRun:"MSOffice","<$SYSDIR>\MSOffice\update.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSOffice"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSOffice"
File:"<$FILE_EXE>","<$SYSDIR>\MSOffice\update.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\MSOffice","filename=update.exe"


// Spyware.Spynet(2):
// Neue Variante?
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Windows\System32\root\csrss.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Windows\System32\root\csrss.exe
AutoRun:"Policies","<$SYSDIR>\root\csrss.exe","flagifnofile=1"
AutoRun:"msn","<$SYSDIR>\root\csrss.exe","flagifnofile=1"
AutoRun:"msn security update","<$SYSDIR>\root\csrss.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","msn"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","msn security update"
File:"<$FILE_EXE>","<$SYSDIR>\root\csrss.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\root","filename=csrss.exe"


// Trojan.Agent:
// Ich glaube nicht, dass Windows einen derartigen Eintrag hat :-)
AutoRun:"Windows Update","<$SYSDIR>\winupd.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update"
File:"<$FILE_EXE>","<$SYSDIR>\winupd.exe"


// Trojan.DelfInjekt:
// Dateinamen fest, schon mehrfach in Logfiles gesehen!
// Name nach VirusTotal
// Siehe bitte auch hier: http://www.virustotal.com/de/analisis/69b43db2377401f04bbe7f3a8f4faabe796473bdb42f1608c75453c77973a177-1271518128#
// AutoRun:"Windows System Guard","C:\Users\Public\dlll.exe","flagifnofile=1"
// AutoRun:"Windows System Guard","C:\Users\Public\winsvcn.exe","flagifnofile=1"
AutoRun:"Windows System Guard","<$PROFILE>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Guard"
File:"<$FILE_EXE>","<$PROFILE>\dlll.exe","md5=2fa62719d82d92766da55085b90e339d"
File:"<$FILE_EXE>","<$PROFILE>\winsvcn.exe"
// AutoRun:"Windows System Guard","C:\Dokumente und Einstellungen\Calle\Anwendungsdaten\winsvcn.exe","flagifnofile=1"
AutoRun:"Windows System Guard","<$APPDATA>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Guard"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\Calle\Anwendungsdaten\winsvcn.exe"
File:"<$FILE_EXE>","<$APPDATA>\winsvcn.exe"
// Aus logischen Gründen wäre auch folgende Regeln noch zu beachten:
File:"<$FILE_EXE>","<$APPDATA>\dlll.exe"


// Trojan.Downloader:
// Name nach Sophos:
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/745-elite_32_exe.html
AutoRun:"antiware","<$SYSDIR>\elite???32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","antiware"
File:"<$FILE_EXE>","<$SYSDIR>\eliteptl32.exe"


// Trojan.FakeAlert.ttam(1):
// Hier gefunden: http://www.trojaner-board.de/84978-googel-chrome-oeffnet-sich-nicht-mehr.html
// Trat zusammen mit Spyware.Spynet auf!
// AutoRun:"StartServiceCKPCNCCP","C:\Users\Jayacer\AppData\Local\CKPCNCCP\StartService.exe","flagifnofile=1"
AutoRun:"StartService*","<$LOCALAPPDATA>\*\StartService.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","StartServiceCKPCNCCP"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","StartServiceCKPCNCCP"
// File:"<$FILE_EXE>","C:\Users\Jayacer\AppData\Local\CKPCNCCP\StartService.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\*\StartService.exe"
Directory:"<$DIR_APPDATA>","<$LOCALAPPDATA>\*","filename=StartService.exe"


// Trojan.FakeAlert.ttam(2):
// Ich hoffe, du brauchst dafür keine files... hab nämlich keine! :-(  Gehört aber mit Sicherhiet nicht zu Office, oder?
// AutoRun:"office",""C:\Windows\system32\rundll32.exe" C:\Users\cecy\AppData\Local\Temp\5370662.dll,S","flagifnofile=1"
AutoRun:"office","<$LOCALAPPDATA>\Temp\*.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","office"
// File:"<$FILE_EXE>",""C:\Windows\system32\rundll32.exe" C:\Users\cecy\AppData\Local\Temp\5370662.dll,S"


// Trojan.IRCBot:
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/21663-lssas_exe.html
// AutoRun:"Google Updater","E:\Users\Alex\AppData\Local\Temp\lssas.exe","flagifnofile=1"
AutoRun:"Google Updater","<$LOCALAPPDATA>\Temp\lssas.exe","flagifnofile=0"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Google Updater"
// File:"<$FILE_EXE>","E:\Users\Alex\AppData\Local\Temp\lssas.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\lssas.exe"


// Trojan.Virtumonde:
BrowserHelperEx:"*","filename=dispex32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01B8AC0F-9E0F-479D-A6ED-18BB94722924}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01B8AC0F-9E0F-479D-A6ED-18BB94722924}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dispex32.dll"
// Traten zusammen mit dem O2-Eintrag auf!
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpcdll32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\eapp3hst32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\difxapi32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dimsntfy32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dbnmpntw32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dciman3232.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ddrawex32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hpbpro32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hpbmiapi32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dbmsrpcn32.dll"

// AutoRun:"Bgolivi","rundll32.exe "C:\WINDOWS\orecawajuri.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\orecawajuri.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Bgolivi"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\orecawajuri.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\orecawajuri.dll"

// AutoRun:"vtursssys","rundll32.exe "rqopqo.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\rqopqo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vtursssys"
// File:"<$FILE_EXE>","rundll32.exe "rqopqo.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rqopqo.dll"

// AutoRun:"cbbccbdrv","rundll32.exe "rqonlj.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\rqonlj.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","cbbccbdrv"
// File:"<$FILE_EXE>","rundll32.exe "rqonlj.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rqonlj.dll"

// AutoRun:"Esaxer","rundll32.exe "C:\WINDOWS\ohohitamagabobi.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ohohitamagabobi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Esaxer"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ohohitamagabobi.dll",Startup"
File:"<$FILE_EXE>","<$WINDIR>\ohohitamagabobi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\datime32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\datime32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","6cda308d879","DllName=<$SYSDIR>\datime32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\datime32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","awtqoNGW","DllName=awtqoNGW.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\awtqoNGW.dll"
Downloads: 0Rating: 0 (rated by 0 users)