Code:
:: New Malware v105
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-25}
// Malware.Smitfraud:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","inketype","DllName=C:\WINDOWS\system32\inketype.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\inketype.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","characterizing","characterizing={b292ec9f-a074-4115-8342-1f459702d8d2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fyxkaah.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","coronally","coronally={1b17f1db-790e-4d42-8e0c-d4d19123ee5b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xnvaogd.dll"
// Spyware.AdRotator:
BrowserHelperEx:"ezLife browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{37F2B634-3A41-4DA9-A598-1F6DF2B2E4F7}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{37F2B634-3A41-4DA9-A598-1F6DF2B2E4F7}"
// AutoRun:"ezLife","rundll32 "rtaksfow.dll",,Run","flagifnofile=1"
AutoRun:"ezLife","<$SYSDIR>\*.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ezLife"
// File:"<$FILE_EXE>","rundll32 "rtaksfow.dll",,Run"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rtaksfow.dll"
BrowserHelperEx:"SmartAds browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{52DC8CFE-24D9-4EBB-95E8-9B23850757CC}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{52DC8CFE-24D9-4EBB-95E8-9B23850757CC}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jebabcmw.dll"
BrowserHelperEx:"hotrevenue browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{7E75AAE4-4AF8-F055-70C6-5337CBC3F7F8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{7E75AAE4-4AF8-F055-70C6-5337CBC3F7F8}"
// AutoRun:"utoernaxovhsqh","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\liomwtcesrvezrcc.dll"","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\liomwtcesrvezrcc.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","utoernaxovhsqh"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\liomwtcesrvezrcc.dll""
File:"<$FILE_LIBRARY>","<$SYSDIR>\liomwtcesrvezrcc.dll"
// Spyware.Spynet:
// Bei euch im Forum gefunden: http://forums.spybot.info/showthread.php?t=57007%26page=2
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] D:\WINDOWS\System\svchost.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] D:\WINDOWS\System\svchost.exe
AutoRun:"Policies","<$WINDIR>\System\svchost.exe","flagifnofile=1"
// AutoRun:"HKLM","D:\WINDOWS\System\svchost.exe","flagifnofile=1"
AutoRun:"HKLM","<$WINDIR>\System\svchost.exe","flagifnofile=1"
// AutoRun:"HKCU","D:\WINDOWS\System\svchost.exe","flagifnofile=1"
AutoRun:"HKCU","<$WINDIR>\System\svchost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$WINDIR>\System\svchost.exe"
// Trojan.Agent(1):
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/6203-microsot1_exe.html
// AutoRun:"Microsoft Configuration 35","microsotl.exe","flagifnofile=1"
AutoRun:"Microsoft Configuration 35","<$SYSDIR>\microsotl.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Configuration 35"
// File:"<$FILE_EXE>","microsotl.exe"
File:"<$FILE_EXE>","<$SYSDIR>\microsotl.exe"
AutoRun:"Microsoft Application Viewer","<$SYSDIR>\msappview32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Application Viewer"
File:"<$FILE_EXE>","<$SYSDIR>\msappview32.exe"
// Trojan.Agent(2):
// Hatte ich euch schon mal geschickt. Besorg dir bitte das File und dann nimm es auf! ;-)
AutoRun:"asam","<$WINDIR>\asam.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","asam"
File:"<$FILE_EXE>","<$WINDIR>\asam.exe"
AutoRun:"asam","<$LOCALAPPDATA>\asam.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","asam"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","asam"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\asam.exe"
// Trojan.Delf.qtp:
AutoRun:"RegistryMonitor1","<$SYSDIR>\qtplugin.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","RegistryMonitor1"
File:"<$FILE_EXE>","<$SYSDIR>\qtplugin.exe"
// Trojan.FakeAlert.ttam(1):
// Trat zusammen mit Trojan.Delf.qtp auf!
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/21290-qtwm_exe.html
AutoRun:"RegistryWm","<$SYSDIR>\qtwm.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","RegistryWm"
File:"<$FILE_EXE>","<$SYSDIR>\qtwm.exe"
// Trojan.FakeAlert.ttam(2):
// AutoRun:"{7B671124-82C1-D3B6-BE42-1887788FDDE2}",""C:\Documents and Settings\Kelly\Application Data\Xozoqa\tuyw.exe"","flagifnofile=1"
AutoRun:"*","*<$APPDATA>\*\tuyw.exe*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","{7B671124-82C1-D3B6-BE42-1887788FDDE2}"
// File:"<$FILE_EXE>",""C:\Documents and Settings\Kelly\Application Data\Xozoqa\tuyw.exe""
File:"<$FILE_EXE>","<$APPDATA>\*\tuyw.exe"
// Trojan.FakeAlert.ttam(3):
// AutoRun:"MSSMSGS","rundll32.exe winkpb32.rom,gPpjnKMJfi","flagifnofile=1"
AutoRun:"MSSMSGS","<$SYSDIR>\winkpb32.rom*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSSMSGS"
// File:"<$FILE_EXE>","rundll32.exe winkpb32.rom,gPpjnKMJfi"
File:"<$FILE_DATA>","<$SYSDIR>\winkpb32.rom"
// Trojan.Virtumonde:
BrowserHelperEx:"*","filename=wibotelo.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0d914044-8d03-4edf-a4ef-45cf53505953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0d914044-8d03-4edf-a4ef-45cf53505953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wibotelo.dll"
BrowserHelperEx:"*","filename=kekilule.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{167554b5-1ea7-4dca-8272-c95ead0e0f39}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{167554b5-1ea7-4dca-8272-c95ead0e0f39}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kekilule.dll"
BrowserHelperEx:"*","filename=hl1ap.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hl1ap.dll"
BrowserHelperEx:"*","filename=duser32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{24C82871-57E5-4F46-BB09-5C3C62F21D44}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{24C82871-57E5-4F46-BB09-5C3C62F21D44}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\duser32.dll"
// AutoRun:"wemikejahu","Rundll32.exe "rurisugo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\rurisugo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wemikejahu"
// File:"<$FILE_EXE>","Rundll32.exe "rurisugo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rurisugo.dll"
// AutoRun:"rasuwejey","Rundll32.exe "c:\windows\system32\feyujafi.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\feyujafi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rasuwejey"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\feyujafi.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\feyujafi.dll"
// AutoRun:"seyisevede","Rundll32.exe "lajogilo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\lajogilo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","seyisevede"
// File:"<$FILE_EXE>","Rundll32.exe "lajogilo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lajogilo.dll"
// AutoRun:"jedohapoj","Rundll32.exe "c:\windows\system32\zoweduda.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\zoweduda.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jedohapoj"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\zoweduda.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zoweduda.dll"
// AutoRun:"lsgppb","RUNDLL32.EXE C:\Users\*****\AppData\Local\Temp\msixtcej.dll,w","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\Temp\msixtcej.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","lsgppb"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\Users\*****\AppData\Local\Temp\msixtcej.dll,w"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\msixtcej.dll"
// AutoRun:"tolrpm","RUNDLL32.EXE C:\Users\Brian\AppData\Local\Temp\mseltall.dll,w","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\Temp\mseltall.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","tolrpm"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\Users\Brian\AppData\Local\Temp\mseltall.dll,w"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\mseltall.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dipagowe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dipagowe.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","jogopamo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jogopamo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\feyujafi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\feyujafi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","sidikeyu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sidikeyu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zoweduda.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zoweduda.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dmutil32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmutil32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","440cfb9f891","DllName=<$SYSDIR>\dmutil32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmutil32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","jkklLeca","DllName=<$SYSDIR>\jkklLeca.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkklLeca.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","witeruwat","witeruwat={027b552c-d32b-4add-8520-5787933badf4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dipagowe.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","zomuhojis","zomuhojis={91a76196-9af0-4c52-9b06-bc0bb58cc20b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\feyujafi.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","wujilokam","wujilokam={9ffa750a-df8f-4643-97f6-0e738183205d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zoweduda.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={9ffa750a-df8f-4643-97f6-0e738183205d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zoweduda.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={027b552c-d32b-4add-8520-5787933badf4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dipagowe.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={91a76196-9af0-4c52-9b06-bc0bb58cc20b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\feyujafi.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kjsfi8sjefiuoshiefyhiusdhfdf","kjsfi8sjefiuoshiefyhiusdhfdf={A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hl1ap.dll"
// Trojan.Zlob:
// O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Programme\Video Access ActiveX Object\pmsnrr.exe
AutoRun:"rare","<$PROGRAMFILES>\Video Access ActiveX Object\pmsnrr.exe","flagifnofile=1"
New Malware v105
Reply With Quote