I've collected detection rules for the following Malware:
  • Malware.Fraud.AntimalwareDoctor
  • Malware.Fraud.Sysguard
  • Spyware.AdRotator
  • Spyware.Spynet
  • Trojan.Agent(2)
  • Trojan.FakeAlert.ttam
  • Trojan.Fraudpack
  • Trojan.Virtumonde
Category: Trojan
Code:
:: New Malware v103
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-18}


// Malware.Fraud.AntimalwareDoctor:
AutoStart:"Antimalware Doctor.lnk",""
// AutoStart:"C:\Documents and Settings\Kristian\Application Data\033C2BC6ECCFABDF37C761190A3FEE04\appreg70700.exe",""
AutoStart:"<$APPDATA>\*\appreg70700.exe",""
// File:"<$FILE_LINK>","<$STARTUP>\Antimalware Doctor.lnk","target[link]=C:\Documents and Settings\Kristian\Application Data\033C2BC6ECCFABDF37C761190A3FEE04\appreg70700.exe"
File:"<$FILE_LINK>","<$STARTUP>\Antimalware Doctor.lnk","target[link]=<$APPDATA>\*\appreg70700.exe"
File:"<$FILE_EXE>","<$APPDATA>\*\appreg70700.exe"
// AutoRun:"appreg70700.exe","C:\Documents and Settings\Kristian\Application Data\033C2BC6ECCFABDF37C761190A3FEE04\appreg70700.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","appreg70700.exe"
// File:"<$FILE_EXE>","C:\Documents and Settings\Kristian\Application Data\033C2BC6ECCFABDF37C761190A3FEE04\appreg70700.exe"


// Malware.Fraud.Sysguard:
// Habe folgende Einträge alle aus EINEM DDS Logfile gefunden; interessant dürften vielleicht die "kurzen" Zeilen sein, da hier der Pfad nach WINDIR zeigt  :-)
// Also findet es sich quasi unter Localappdata, appdata\roaming und windir; schon alles bekannt oder was neues dabei?
// uRun: [eaqxagmd] c:\users\kaput\appdata\local\niiilhybj\dkmrhdftssd.exe
// uRun: [yorqjsyi] c:\users\kaput\appdata\local\ludilymsw\dsbkpgitssd.exe
// uRun: [iqfcmych] c:\users\kaput\appdata\local\qjlhlbauq\drxalietssd.exe
// uRun: [efguvlom] c:\users\kaput\appdata\local\ovghlrnme\damttlgtssd.exe
// uRun: [wybylnsq] c:\users\kaput\appdata\local\wvailantc\dshumywtssd.exe
// uRun: [ckygccgk] c:\users\kaput\appdata\local\aifiliacn\djtcfvutssd.exe
// uRun: [lqcpcnkr] c:\users\kaput\appdata\local\fklfmvcqd\dxqtmgrtssd.exe
// uRun: [wbsilsyt] c:\users\kaput\appdata\roaming\acpanpvma\djhhhwetssd.exe
// uRun: [xpoaxicu] c:\users\kaput\appdata\local\bslvowmvl\dfhnqvhtssd.exe
// uRun: [ulbqnorb] c:\users\kaput\appdata\local\mdmynqwne\diorepstssd.exe
// uRun: [cgdflbqy] c:\users\kaput\appdata\local\etoupqops\dmsvubgtssd.exe
// uRun: [vosansye] c:\users\kaput\appdata\local\ojdrqgfgc\dynexnatssd.exe
// uRun: [eixfvpup] c:\users\kaput\appdata\local\qdwanhvfc\drmfnjntssd.exe
// uRun: [dyoutuuj] c:\windows\dwseqiktssd.exe
// uRun: [sjgqdyok] c:\users\kaput\appdata\local\ateupaoyu\dduilhltssd.exe
// uRun: [vjddrnxu] c:\users\kaput\appdata\local\ovespuqug\djncmfytssd.exe
// uRun: [hdfuoycr] c:\users\kaput\appdata\local\fqxynrjot\difwdyatssd.exe
// uRun: [sujxqkli] c:\users\kaput\appdata\local\xdjyorwpi\dhvcbihtssd.exe
// uRun: [osrlqgag] c:\users\kaput\appdata\local\wsbvognen\dvjahcmtssd.exe
// uRun: [saavlpmr] c:\users\kaput\appdata\local\yrhxodlbe\dxuenqitssd.exe
// uRun: [hrbmcoft] c:\users\kaput\appdata\local\ggsupybxf\ddedmxdtssd.exe
// uRun: [sxciporl] c:\users\kaput\appdata\roaming\bkyqqhfig\dyuovgotssd.exe
// uRun: [jguqesqg] c:\users\kaput\appdata\roaming\wynpqcudd\dfwdxuutssd.exe
// uRun: [qoybjphi] c:\users\kaput\appdata\local\lgdvppboe\dmcqwrytssd.exe
// uRun: [cmqpcgmn] c:\users\kaput\appdata\local\cpuanxiul\dbsoytbtssd.exe
// uRun: [ajxcvqor] c:\users\kaput\appdata\local\ryepqkumf\dwaoobatssd.exe
// uRun: [omdbyber] c:\users\kaput\appdata\local\ywuqqysyu\dhjhdjqtssd.exe
// uRun: [agfsvmin] c:\users\kaput\appdata\local\prowovmth\dfadtdstssd.exe
// uRun: [orsxugfa] c:\users\kaput\appdata\local\ylspqkhlp\dwjjprrtssd.exe
// uRun: [ldatscsn] c:\users\kaput\appdata\roaming\jtxvphngr\duqkeubtssd.exe
// uRun: [abpuahhe] c:\users\kaput\appdata\local\oepxokxil\dpabiurtssd.exe
// uRun: [xxvhtrjh] c:\users\kaput\appdata\local\enynrxjyf\dlgcwcptssd.exe
// uRun: [nfutdrwf] c:\users\kaput\appdata\local\vcganxvvb\dajtwditssd.exe
// uRun: [xcmfpwkq] c:\users\kaput\appdata\local\fcxmrixla\dbgdjkqtssd.exe
// uRun: [uuhlfytt] c:\users\kaput\appdata\local\nfjwonylu\doovcgutssd.exe
// uRun: [dnkmgkxl] c:\users\kaput\appdata\local\hocmrrltm\dsskbhotssd.exe
// uRun: [fjrcatgn] c:\users\kaput\appdata\local\vcelrbydd\djlcpwbtssd.exe
// uRun: [fwtwifxr] c:\users\kaput\appdata\local\rsrvopnno\dmllxirtssd.exe
// uRun: [cpiaclsr] c:\windows\drsasritssd.exe
// uRun: [qmannpmc] c:\users\kaput\appdata\local\nyuoqtuug\dncbehetssd.exe
// uRun: [xnqnchhp] c:\users\kaput\appdata\local\eldpqbhco\dggxylntssd.exe
// uRun: [annarvpa] c:\users\kaput\appdata\local\smcnrvjxa\dmyqajbtssd.exe
// uRun: [axtuigrs] c:\users\kaput\appdata\local\tpylrsluq\dryuxadtssd.exe
// uRun: [qxevbajb] c:\users\kaput\appdata\local\miyspmdmu\drcuuibtssd.exe
// uRun: [tmxadeun] c:\users\kaput\appdata\local\cbunrpwqs\dtuuffrtssd.exe
// uRun: [jiseasll] c:\users\kaput\appdata\local\ugvvoxavb\dexspfotssd.exe
// uRun: [hyjtwxmg] c:\users\kaput\appdata\local\jbhmraxcy\dkerseltssd.exe
// uRun: [uawibeud] c:\users\kaput\appdata\local\nthvoxnwp\deoxoovtssd.exe
// uRun: [sepshtnb] c:\users\kaput\appdata\local\yggvooany\dnugyyjtssd.exe
// uRun: [jkkoyxrp] c:\users\kaput\appdata\local\wmmormioy\duwfjdvtssd.exe
// uRun: [ohnedvdi] c:\users\kaput\appdata\local\xjvrpneny\drjfrbptssd.exe
// uRun: [qacjwbeg] c:\users\kaput\appdata\local\jphynijfr\dqclmsutssd.exe
// uRun: [lxkwwwre] c:\users\kaput\appdata\local\ifawovyuv\dfqismatssd.exe
// uRun: [kyggmmuq] c:\users\kaput\appdata\local\ydhksuaxk\dqwktcytssd.exe
// uRun: [uenfviwl] c:\users\kaput\appdata\local\nhgupjcil\dtnaawwtssd.exe
// uRun: [hivrkedb] c:\users\kaput\appdata\local\fevxocxbo\dxfyohbtssd.exe
// uRun: [vmumrsex] c:\users\kaput\appdata\roaming\qculrkymf\danogdftssd.exe
// uRun: [mtnvfvcs] c:\users\kaput\appdata\local\mqjjsenhb\dhpcirltssd.exe
// uRun: [crhnxlnw] c:\users\kaput\appdata\local\ddsyojwgh\dqsqkcctssd.exe
// uRun: [jxmjiijt] c:\users\kaput\appdata\roaming\teayobxyk\dyxoromtssd.exe
// uRun: [vxyufdbw] c:\users\kaput\appdata\local\plypqchds\dfnivectssd.exe
// uRun: [kuqjqhth] c:\users\kaput\appdata\local\xojlrjllp\dbwjitxtssd.exe
// uRun: [xmraghmj] c:\users\kaput\appdata\roaming\geujsfbiq\dhghhbstssd.exe
// uRun: [upqnjtsk] c:\users\kaput\appdata\local\mqlxockay\dxotqxttssd.exe
// uRun: [bcjrelsc] c:\users\kaput\appdata\local\tdxkseagm\dhywkietssd.exe
// uRun: [mpxxkrbj] c:\users\kaput\appdata\roaming\mcklstyvg\drpawjktssd.exe
// uRun: [tbtsptxo] c:\users\kaput\appdata\local\dqpjswoae\dpubpevtssd.exe
// uRun: [ssllujqc] c:\users\kaput\appdata\local\avbspvrvl\diumjxntssd.exe
// uRun: [aehfalni] c:\users\kaput\appdata\local\rkgqqagaj\dgamcsxtssd.exe
// uRun: [qrqljunl] c:\users\kaput\appdata\local\nnsnrfjhc\ddcdqpftssd.exe
// uRun: [aarhegmy] c:\users\kaput\appdata\local\rwhrqoroo\dqalpkwtssd.exe
// uRun: [loecgmpm] c:\users\kaput\appdata\local\hddynawwf\daqeuvxtssd.exe
// uRun: [mgreshyq] c:\users\kaput\appdata\local\lannrwwyp\dlpvysitssd.exe
// uRun: [tqnxyjvw] c:\users\kaput\appdata\local\doslraldn\djuwrnstssd.exe
// uRun: [mvljbwwy] c:\users\kaput\appdata\local\kxrqqatby\dgqsbcgtssd.exe
// uRun: [fbkuekyb] c:\users\kaput\appdata\local\shpupacak\ddlnjqstssd.exe
// uRun: [metqwgfl] c:\windows\dmpghhntssd.exe
// uRun: [bqfjrbve] c:\users\kaput\appdata\roaming\utsgtlrpx\ddydughtssd.exe
// uRun: [otliukle] c:\users\kaput\appdata\local\crjisapdn\dnivjoytssd.exe
// uRun: [fxntmjjo] c:\users\kaput\appdata\roaming\wsyhsipmp\dfkiauetssd.exe
// uRun: [vbqfeiha] c:\windows\dvntqbjtssd.exe
// uRun: [tkamheah] c:\users\kaput\appdata\roaming\esmgtsqwu\dutfntxtssd.exe
// uRun: [isujgsqq] c:\users\kaput\appdata\local\lgbhtsdwg\dveaokqtssd.exe
// uRun: [mijnslgu] c:\users\kaput\appdata\local\ohegtmfqn\ddpispptssd.exe
// uRun: [oeqdlunv] c:\windows\dtiaifbtssd.exe
// uRun: [fceqiokx] c:\windows\dukkmdftssd.exe
// uRun: [fhtoetlh] c:\users\kaput\appdata\roaming\xuvftfskg\dkkmxlgtssd.exe
// uRun: [dhwcofcv] c:\windows\derswnstssd.exe
// uRun: [xvxtxroc] c:\users\kaput\appdata\local\hgqhtcegh\dmglfqvtssd.exe
// uRun: [tppkdibq] c:\users\kaput\appdata\local\fhkftefjq\dkthacytssd.exe
// uRun: [rpsxntsf] c:\users\kaput\appdata\local\qfkhtjdne\debnyeltssd.exe
// uRun: [kncxycxs] c:\users\kaput\appdata\local\atcgtcrgw\dmwqeadtssd.exe
// uRun: [dlmykkdf] c:\users\kaput\appdata\local\jhtftvfao\dtrujvttssd.exe
// uRun: [rtiujyto] c:\users\kaput\appdata\local\qtjgturya\dtbpkmmtssd.exe


// Spyware.AdRotator:
BrowserHelperEx:"hotrevenue browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{459eb0e4-2940-2acf-277d-0de5123c1873}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{459eb0e4-2940-2acf-277d-0de5123c1873}"
// AutoRun:"xjutegogajndr","c:\windows\system32\regsvr32.exe /s "c:\windows\system32\ljuqaixixap.dll"","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\ljuqaixixap.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","xjutegogajndr"
// File:"<$FILE_EXE>","c:\windows\system32\regsvr32.exe /s "c:\windows\system32\ljuqaixixap.dll""
File:"<$FILE_LIBRARY>","<$SYSDIR>\ljuqaixixap.dll"


// Spyware.Spynet:
// Neuer Pfad unter PROGRAMFILES ?!
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Programme\spynet\server.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Programme\spynet\server.exe
AutoRun:"Policies","<$PROGRAMFILES>\spynet\server.exe","flagifnofile=1"
// AutoRun:"HKLM","C:\Programme\spynet\server.exe","flagifnofile=1"
AutoRun:"HKLM","<$PROGRAMFILES>\spynet\server.exe","flagifnofile=1"
// AutoRun:"HKCU","C:\Programme\spynet\server.exe","flagifnofile=1"
AutoRun:"HKCU","<$PROGRAMFILES>\spynet\server.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$PROGRAMFILES>\spynet\server.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\spynet","filename=server.exe"


// Trojan.Agent(1):
// AutoRun:"svchost","c:\windows\temp\rpyl.tmp\svchost.exe","flagifnofile=1"
AutoRun:"svchost","<$WINDIR>\temp\????.tmp\svchost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","svchost"
// File:"<$FILE_EXE>","c:\windows\temp\rpyl.tmp\svchost.exe"
File:"<$FILE_EXE>","<$WINDIR>\temp\????.tmp\svchost.exe"
Directory:"<$DIR_PROG>","<$WINDIR>\temp\????.tmp","filename=svchost.exe"


// Trojan.Agent(2):
AutoRun:"asam","<$WINDIR>\asam.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","asam"
File:"<$FILE_EXE>","<$WINDIR>\asam.exe"
// Siehe dazu auch Logfile von MBAM:
// C:\WINDOWS\asam.exe (Worm.Nuwar) -> Unloaded process successfully.
// Registry Values Infected:
// HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Worm.Nuwar) -> Quarantined and deleted successfully.
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Worm.Nuwar) -> Quarantined and deleted successfully.
// Files Infected:
// C:\WINDOWS\asam.exe (Worm.Nuwar) -> Quarantined and deleted successfully.


// Trojan.FakeAlert.ttam:
// Hab dieses Mal eine MD5 checksumme gefunden! ;-)
// Siehe dazu bitte hier: http://www.threatexpert.com/report.aspx?md5=d1e2983aff7cf7d9a325c01b1f5b4acc
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Software\Classes\","idid"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe bnis.mxo yfklng"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","bnis.mxo *"
File:"<$FILE_DATA>","<$SYSDIR>\bnis.mxo","md5=D1E2983AFF7CF7D9A325C01B1F5B4ACC"


// Trojan.Fraudpack:
// Neue Variante!
AutoRun:"QZAIB7KITK","<$WINDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","QZAIB7KITK"
File:"<$FILE_EXE>","<$WINDIR>\Hnudoa.exe"
// Da Fraudpack in verschiedenen Pfaden vorkommt, empfehle ich folgende Regeln zusätzlich:
AutoRun:"QZAIB7KITK","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
AutoRun:"QZAIB7KITK","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
AutoRun:"QZAIB7KITK","<$WINDIR>\Temp\*.exe","flagifnofile=1"
// Was meinst du?


// Trojan.Virtumonde:
BrowserHelperEx:"*","filename=efcCsRlk.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5e72e207-c43b-4f98-ac87-6b99dc6f8989}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5e72e207-c43b-4f98-ac87-6b99dc6f8989}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\efcCsRlk.dll"

// AutoRun:"kheddbdrv","rundll32.exe "efdawx.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\efdawx.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kheddbdrv"
// File:"<$FILE_EXE>","rundll32.exe "efdawx.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\efdawx.dll"

// AutoRun:"wvwtqqsys","rundll32.exe "ssrspq.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\ssrspq.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wvwtqqsys"
// File:"<$FILE_EXE>","rundll32.exe "ssrspq.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssrspq.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","igdhpq.dll"
File:"<$FILE_LIBRARY>","igdhpq.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hereporu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hereporu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rohebiyi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rohebiyi.dll"
Downloads: 0Rating: 0 (rated by 0 users)