Code:
:: New Malware v107
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-05-03}
// Adware.TecentAdressBar:
// Siehe bitte auch hier: http://www.systemlookup.com/CLSID/53547-SAddr_dll_SAddr1_dll_SAddr2_dll_SSAddr_dll_SSAddr1_dll_SSAddr2_dll_TBHMain_dll_IEHelp_dll.html
// Bitte kontrollieren, ob ihr das schon alles in der Datenbank habt :-)
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}"
BrowserHelperEx:"Tencent Browser Helper","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0C7C23EF-A848-485B-873C-0ED954731014}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0C7C23EF-A848-485B-873C-0ED954731014}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\TENCENT\SSPlus\SAddr.dll"
BrowserHelperEx:"QQ*","filename=IEBar.dll"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{29CF293A-1E7D-4069-9E11-E39698D0AF95}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{29CF293A-1E7D-4069-9E11-E39698D0AF95}"
// AutoRun:"stup.exe","Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R","flagifnofile=1"
AutoRun:"stup.exe","<$PROGRAMFILES>\TENCENT\SSPlus\SPlus.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","stup.exe"
// File:"<$FILE_EXE>","Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\TENCENT\SSPlus\SPlus.dll"
// AutoRun:"QQ2009",""C:\Program Files\Tencent\QQ\Bin\QQ.exe" /background","flagifnofile=1"
AutoRun:"QQ2009","<$PROGRAMFILES>\Tencent\QQ\Bin\QQ.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","QQ2009"
// File:"<$FILE_EXE>",""C:\Program Files\Tencent\QQ\Bin\QQ.exe" /background"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Tencent\QQ\Bin\QQ.exe"
// RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","TSUSVC","ImagePath=C:\Program Files\Tencent\QQSoftMgr\1.0.338.203\TencentUpdateSvc.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","TSUSVC","ImagePath=<$PROGRAMFILES>\Tencent\QQSoftMgr\*\TencentUpdateSvc.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","TSUSVC","DisplayName=Tencent Software Update Service"
// File:"<$FILE_EXE>","C:\Program Files\Tencent\QQSoftMgr\1.0.338.203\TencentUpdateSvc.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Tencent\QQSoftMgr\*\TencentUpdateSvc.exe"
// File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\TENCENT\SSPlus\SAddr1.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\TENCENT\SSPlus\SAddr?.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\TENCENT\SSPlus\SSAddr.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\TENCENT\SSPlus\SSAddr?.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\TENCENT\SSPlus\TBHMain.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\TENCENT\SSPlus\IEHelp.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Tencent\QQToolbar\IEBar.dll"
// Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TENCENT\QQSoftMgr\1.0.338.203"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TENCENT\QQSoftMgr\*","filename=Tecent.UpdateSvc.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TENCENT\QQSoftMgr"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TENCENT\SSPlus"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TENCENT\QQToolbar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TENCENT\QQ\Bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TENCENT\QQ"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TENCENT"
// Malware.ApplicationUpdater:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","Application Updater","ImagePath=<$PROGRAMFILES>\Application Updater\ApplicationUpdater.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Application Updater\ApplicationUpdater.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Application Updater"
// Malware.ChameleonTom:
BrowserHelperEx:"wit for ie","filename=wit4ie.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\ChameleonTom\wit4ie.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\ChameleonTom"
// Malware.Fraud.AKMAntivirus2010Pro:
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","AKM Antivirus 2010 Pro"
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\ControlSet001\Services\","AdbUpd"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\ControlSet002\Services\","AdbUpd"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\ControlSet003\Services\","AdbUpd"
BrowserHelperEx:"ADC PlugIn","filename=adc32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\adc32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AdbUpd","ImagePath=<$PROGRAMFILES>\svchost.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AdbUpd","DisplayName=Adobe Update Service"
File:"<$FILE_EXE>","<$PROGRAMFILES>\svchost.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\adc32.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\alggui.exe"
File:"<$FILE_DATA>","<$PROGRAMFILES>\nuar.old"
File:"<$FILE_DATA>","<$PROGRAMFILES>\skynet.dat"
File:"<$FILE_DATA>","<$PROGRAMFILES>\wp3.dat"
File:"<$FILE_DATA>","<$PROGRAMFILES>\wp4.dat"
File:"<$FILE_EXE>","<$PROGRAMFILES>\wpp.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe"
File:"<$FILE_TEMP>","<$LOCALSETTINGS>\Temp\win1.tmp"
File:"<$FILE_TEMP>","<$LOCALSETTINGS>\Temp\win2.tmp"
File:"<$FILE_TEMP>","<$WINDIR>\Temp\win1.tmp"
File:"<$FILE_TEMP>","<$WINDIR>\Temp\win1.tmp"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\AKM Antivirus 2010 Pro.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.lnk"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\AKM Antivirus 2010 Pro"
Directory:"<$DIR_PROG>","<$PROGRAMS>\AKM Antivirus 2010 Pro"
// Malware.Fraud.APManager:
AutoRun:"apmanager.exe","<$APPDATA>\Roaming\APManager\apmanager.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","apmanager.exe"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\APManager\apmanager.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Roaming\APManager"
// Malware.Fraud.CleanUpAntivirus:
// Neuer Pfad!
// AutoRun:"CleanUp Antivirus",""c:\cd65301\CUcd65.exe" /s /d","flagifnofile=1"
AutoRun:"CleanUp Antivirus","<$SYSDRIVE>\*\CU*.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","CleanUp Antivirus"
// File:"<$FILE_EXE>",""c:\cd65301\CUcd65.exe" /s /d"
// Malware.Fraud.DesktopSecurity2010:
AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","<$APPDATA>\Roaming\Desktop Security 2010\taskmgr.dll","flagifnofile=1"
// AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","<$LOCALSETTINGS>\temp\lsass.exe","flagifnofile=1"
// AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","<$LOCALSETTINGS>\temp\services.exe","flagifnofile=1"
AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","<$LOCALSETTINGS>\temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf87efjhdsf87f3jfsdi7fhsujfd"
File:"<$FILE_LIBRARY>","<$APPDATA>\Roaming\Desktop Security 2010\taskmgr.dll"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\temp\lsass.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\temp\services.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Roaming\Desktop Security 2010"
// Malware.Fraud.DigitalProtection:
// Neuer Prad!
AutoRun:"Digital Protection","<$LOCALAPPDATA>\Temp\Digital Protection\digprot.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Digital Protection"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\Digital Protection\digprot.exe"
// Rootkit.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\Windows\system32\userinit.exe,C:\Windows\localsys64.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$WINDIR>\localsys64.exe,"
NTFile:"<$FILE_EXE>","<$WINDIR>\localsys64.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\twext.exe,"
NTFile:"<$FILE_EXE>","<$SYSDIR>\twext.exe,"
// Spyware.AdRotator:
BrowserHelperEx:"hotrevenue browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{24625deb-1b62-696a-9f74-0fbfa29cd09a}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{24625deb-1b62-696a-9f74-0fbfa29cd09a}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5C7541A3-5C52-0F93-9AB3-50841B5DF033}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5C7541A3-5C52-0F93-9AB3-50841B5DF033}"
BrowserHelperEx:"profithand","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5c3c4258-cfa6-0217-c5ad-b51cd7535922}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5c3c4258-cfa6-0217-c5ad-b51cd7535922}"
BrowserHelperEx:"adShotHlpr Object","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{c6ee5790-1446-4c77-b9f8-3bd0208408d5}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{c6ee5790-1446-4c77-b9f8-3bd0208408d5}"
BrowserHelperEx:"profitmuse","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0819c043-be78-ac7d-0e3b-2abcd5bb30c1}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0819c043-be78-ac7d-0e3b-2abcd5bb30c1}"
BrowserHelperEx:"profitizeme browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4464C0AC-4719-7E9D-FEC9-A88011D1C11E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4464C0AC-4719-7E9D-FEC9-A88011D1C11E}"
BrowserHelperEx:"ezLife browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00E1DA10-54EF-4A74-B0ED-5CB0E6C45022}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00E1DA10-54EF-4A74-B0ED-5CB0E6C45022}"
// AutoRun:"jnqyyxnwiekkl","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\pdqxjggukpwtrgfk.dll"","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\pdqxjggukpwtrgfk.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jnqyyxnwiekkl"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\pdqxjggukpwtrgfk.dll""
File:"<$FILE_LIBRARY>","<$SYSDIR>\pdqxjggukpwtrgfk.dll"
// AutoRun:"fydgoqckktcgs","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vhmtgdbwtnl.dll"","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\vhmtgdbwtnl.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fydgoqckktcgs"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vhmtgdbwtnl.dll""
File:"<$FILE_LIBRARY>","<$SYSDIR>\vhmtgdbwtnl.dll"
// Spyware.Spynet(1):
AutoRun:"HKLM","<$SYSDIR>\Winlog\Winlogon.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\Winlog\Winlogon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDIR>\Winlog\Winlogon.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\Winlog","filename=Winlogon.exe"
// Spyware.Spynet(2):
// AutoRun:"HKCU","C:\Users\ionloner\AppData\Roaming\ocx\ocxup.exe","flagifnofile=1"
AutoRun:"HKCU","<$APPDATA>\Roaming\*\ocxup.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
// File:"<$FILE_EXE>","C:\Users\ionloner\AppData\Roaming\ocx\ocxup.exe"
// Trojan.Agent.inc:
// Den zweiten der beiden Einträgen dürftet ihr noch nicht in der Datenbank haben :-)
AutoRun:"incognito","<$SYSDIR>\incognito.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","incognito"
File:"<$FILE_EXE>","<$SYSDIR>\incognito.exe"
AutoRun:"incognito","<$LOCALSETTINGS>\Temp\incognito.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","incognito"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\incognito.exe"
// Trojan.Agent(1):
// Name des Autostartes ist fest!
// AutoRun:"hsf87sdhfush87fsufhuie3fddf","c:\docume~1\john\locals~1\temp\qpav7ocw.exe","flagifnofile=1"
// AutoRun:"hsf87sdhfush87fsufhuie3fddf","C:\Users\Axe\APPDATA\LOCAL\TEMP\S4Q2W1XK.EXE","flagifnofile=1"
// AutoRun:"hsf87sdhfush87fsufhuie3fddf","c:\docume~1\jim\locals~1\temp\ufcpmjz2.exe","flagifnofile=1"
AutoRun:"hsf87sdhfush87fsufhuie3fddf","<$LOCALSETTINGS>\temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf87sdhfush87fsufhuie3fddf"
// File:"<$FILE_EXE>","c:\docume~1\john\locals~1\temp\qpav7ocw.exe"
// File:"<$FILE_EXE>","C:\Users\Axe\APPDATA\LOCAL\TEMP\S4Q2W1XK.EXE"
// File:"<$FILE_EXE>","c:\docume~1\jim\locals~1\temp\ufcpmjz2.exe"
// Trojan.Agent(2):
// Bitte endlich mal aufnehmen!
// AutoRun:"mcexecwin","rundll32.exe c:\docume~1\jim\locals~1\temp\phersn0zd.dll, RestoreWindows","flagifnofile=1"
AutoRun:"mcexecwin","<$LOCALSETTINGS>\temp\*.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mcexecwin"
// File:"<$FILE_EXE>","rundll32.exe c:\docume~1\jim\locals~1\temp\phersn0zd.dll, RestoreWindows"
// Trojan.Agent(3):
// AutoRun:"systemz","C:\WINDOWS\system32\drivers\ctfmon.exe","flagifnofile=1"
AutoRun:"system?","<$SYSDIR>\drivers\ctfmon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","systemz"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\drivers\ctfmon.exe"
File:"<$FILE_EXE>","<$SYSDIR>\drivers\ctfmon.exe"
// Trojan.Agent(4):
// AutoRun:"WindowsSystemGuard","C:\Users\Public\winsvcn.exe","flagifnofile=1"
AutoRun:"WindowsSystemGuard","<$PROFILE>\winsvcn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WindowsSystemGuard"
// File:"<$FILE_EXE>","C:\Users\Public\winsvcn.exe"
File:"<$FILE_EXE>","<$PROFILE>\winsvcn.exe"
// Trojan.Agent(5):
AutoRun:"Cognac","<$LOCALAPPDATA>\temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cognac"
//File:"<$FILE_EXE>","c:\users\user\appdata\local\temp\b.exe"
// Trojan.Agent(6):
AutoRun:"asrkn_pfu.exe","<$LOCALAPPDATA>\Temp\asrkn_pfu.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","asrkn_pfu.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\asrkn_pfu.exe"
// Trojan.Agobot:
AutoRun:"Windows File Protection","<$APPDATA>\scvhost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows File Protection"
File:"<$FILE_EXE>","<$APPDATA>\scvhost.exe"
// Trojan.Ambler:
BrowserHelperEx:"Internet Explorer Plugin","filename=ofjznv49.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{cb5634f1-c506-4731-849d-0db7c76426de}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{cb5634f1-c506-4731-849d-0db7c76426de}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ofjznv49.dll"
// Trojan.FakeAlert.ttam(1):
// AutoRun:"elogger","C:\WINDOWS\!!!\elogger.exe -s","flagifnofile=1"
AutoRun:"elogger","<$WINDIR>\!!!\elogger.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","elogger"
// File:"<$FILE_EXE>","C:\WINDOWS\!!!\elogger.exe -s"
File:"<$FILE_EXE>","<$WINDIR>\!!!\elogger.exe"
Directory:"<$DIR_PROG>","<$WINDIR>\!!!"
// Trojan.FakeAlert.ttam(2):
// AutoRun:"vrrtaxliÐ","C:\Windows\System32\vrrtaxliÐ.exe","flagifnofile=1"
// AutoRun:"vrrtaxliÆ","C:\Windows\System32\vrrtaxliÆ.exe","flagifnofile=1"
// AutoRun:"vrrtaxliå","C:\Windows\System32\vrrtaxliå.exe","flagifnofile=1"
AutoRun:"vrrtaxli?","<$SYSDIR>\vrrtaxli?.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vrrtaxliÐ"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vrrtaxliÆ"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vrrtaxliå"
File:"<$FILE_EXE>","<$SYSDIR>\vrrtaxli?.exe"
// Trojan.FakeAlert.ttam(3):
// AutoRun:"Kerneldick","C:\Users\Axe\AppData\Local\Temp\375193357467651.exe","flagifnofile=1"
AutoRun:"Kerneldick","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Kerneldick"
// File:"<$FILE_EXE>","C:\Users\Axe\AppData\Local\Temp\375193357467651.exe"
// Trojan.FakeAlert.ttam(4):
// AutoRun:"SysDir",""c:\programdata\sysapp\SysDir.exe" /Hide","flagifnofile=1"
AutoRun:"SysDir","<$COMMONAPPDATA>\sysapp\SysDir.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SysDir"
// File:"<$FILE_EXE>",""c:\programdata\sysapp\SysDir.exe" /Hide"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\sysapp\SysDir.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\sysapp"
// Trojan.Fraudpack(1):
// Name des Autostarts fest!
// AutoRun:"M5T8QL3YW3","c:\users\leo\appdata\local\temp\Hnq.exe","flagifnofile=1"
// AutoRun:"M5T8QL3YW3","C:\DOKUME~1\emersonj\LOKALE~1\Temp\Ulr.exe","flagifnofile=1"
// AutoRun:"M5T8QL3YW3","C:\Users\CHRIST~1\AppData\Local\Temp\Lrg.exe","flagifnofile=1"
// AutoRun:"M5T8QL3YW3","C:\DOCUME~1\SEANPC~1\LOCALS~1\Temp\Nlb.exe","flagifnofile=1"
// AutoRun:"M5T8QL3YW3","c:\users\dianef~1\appdata\local\temp\Nl1.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$LOCALAPPDATA>\temp\*.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$WINDIR>\temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","M5T8QL3YW3"
// File:"<$FILE_EXE>","c:\users\leo\appdata\local\temp\Hnq.exe"
// File:"<$FILE_EXE>","C:\DOKUME~1\emersonj\LOKALE~1\Temp\Ulr.exe"
// File:"<$FILE_EXE>","C:\Users\CHRIST~1\AppData\Local\Temp\Lrg.exe"
// File:"<$FILE_EXE>","C:\DOCUME~1\SEANPC~1\LOCALS~1\Temp\Nlb.exe"
// File:"<$FILE_EXE>","c:\users\dianef~1\appdata\local\temp\Nl1.exe"
// Trojan.Fraudpack(2):
AutoRun:"YVIBBBHA8C","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","YVIBBBHA8C"
// File:"<$FILE_EXE>","C:\DOKUME~1\Florian\LOKALE~1\Temp\Yc3.exe"
// AutoRun:"Canaveral","rundll32.exe C:\Users\wolfgang\AppData\Local\Temp\sshnas21.dll,BackupRead W","flagifnofile=1"
AutoRun:"Canaveral","<$LOCALAPPDATA>\Temp\sshnas21.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Canaveral"
// File:"<$FILE_EXE>","rundll32.exe C:\Users\wolfgang\AppData\Local\Temp\sshnas21.dll,BackupRead W"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\sshnas21.dll"
// Trojan.Rbot:
// Folgende Einträge fanden sich in einem HijackThis Logfile, OpenSBI hat nichts übernommen:
// O4 - HKCU\..\RunServices: [MS Security] systm.pif
// O4 - HKUS\.DEFAULT\..\Run: [Windows System Security] sys32.pif (User 'Default user')
// O4 - HKUS\.DEFAULT\..\RunServices: [Windows System Security] sys32.pif (User 'Default user')
// O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
// O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
AutoRun:"MS Security","<$SYSDIR>\systm.pif","flagifnofile=1"
AutoRun:"Windows System Security","<$WINDIR>\sys32.pif ","flagifnofile=1"
// Trojan.SillyFDC:
AutoRun:"cdoosoft","<$LOCALSETTINGS>\Temp\herss.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","cdoosoft"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\herss.exe"
AutoRun:"nod32","<$LOCALSETTINGS>\Temp\nodqq.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","nod32"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\nodqq.exe"
// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=wobehubo.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{c47c9a94-16fc-4eb7-9b22-2101eaff2bf7}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{c47c9a94-16fc-4eb7-9b22-2101eaff2bf7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wobehubo.dll"
BrowserHelperEx:"*","filename=yayawxu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yayawxu.dll"
BrowserHelperEx:"*","filename=sstqn.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F1F50EFF-CBF2-4884-B086-423E8C0CB840}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F1F50EFF-CBF2-4884-B086-423E8C0CB840}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sstqn.dll"
BrowserHelperEx:"*","filename=hs78344kjkfd.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{c5bf49a2-94f3-42bd-f434-3604812c8955}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{c5bf49a2-94f3-42bd-f434-3604812c8955}"
BrowserHelperEx:"*","filename=wazuhope.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{d7fd9a02-829f-4d20-853e-9383f0b342a0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{d7fd9a02-829f-4d20-853e-9383f0b342a0}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wazuhope.dll"
BrowserHelperEx:"*","filename=fasijilu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{ebf644b2-ab29-4c0c-bb7f-05e6c23572a4}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{ebf644b2-ab29-4c0c-bb7f-05e6c23572a4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fasijilu.dll"
BrowserHelperEx:"*","filename=dhw1d.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dhw1d.dll"
BrowserHelperEx:"*","filename=comdlg3232.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0093B165-9F14-4D46-BC4C-27C90C05ACC8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0093B165-9F14-4D46-BC4C-27C90C05ACC8}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\comdlg3232.dll"
BrowserHelperEx:"*","filename=pyrb16i.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pyrb16i.dll"
BrowserHelperEx:"*","filename=zepulabe.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{ecaef32b-e465-434c-905f-bc84d14c5694}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{ecaef32b-e465-434c-905f-bc84d14c5694}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zepulabe.dll"
BrowserHelperEx:"*","filename=rutobuki.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{979a31c5-594b-431f-8a4c-6d4b5a27daf4}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{979a31c5-594b-431f-8a4c-6d4b5a27daf4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rutobuki.dll"
BrowserHelperEx:"*","filename=ckicbzm.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{15d7efeb-3369-4a4e-af40-5855707d6914}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{15d7efeb-3369-4a4e-af40-5855707d6914}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ckicbzm.dll"
// AutoRun:"tidadepije","Rundll32.exe "c:\programdata\jakonehu\jakonehu.dll",s","flagifnofile=1"
AutoRun:"*","<$COMMONAPPDATA>\jakonehu\jakonehu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tidadepije"
// File:"<$FILE_EXE>","Rundll32.exe "c:\programdata\jakonehu\jakonehu.dll",s"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\jakonehu\jakonehu.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\jakonehu"
// AutoRun:"sstsqpsys","rundll32.exe "vtuurr.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\vtuurr.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sstsqpsys"
// File:"<$FILE_EXE>","rundll32.exe "vtuurr.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vtuurr.dll"
// AutoRun:"Ftozopan","rundll32.exe "C:\WINDOWS\ugamumus.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ugamumus.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Ftozopan"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ugamumus.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ugamumus.dll"
// AutoRun:"fodufafewa","Rundll32.exe "tobirugo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\tobirugo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fodufafewa"
// File:"<$FILE_EXE>","Rundll32.exe "tobirugo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tobirugo.dll"
// AutoRun:"yanosoyuga","Rundll32.exe "kadageko.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\kadageko.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","yanosoyuga"
// File:"<$FILE_EXE>","Rundll32.exe "kadageko.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kadageko.dll"
// AutoRun:"dipoyajur","Rundll32.exe "c:\windows\system32\marokeru.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\marokeru.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","dipoyajur"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\marokeru.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\marokeru.dll"
// AutoRun:"Lwenatum","rundll32.exe "C:\WINDOWS\obadiwihe.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\obadiwihe.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Lwenatum"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\obadiwihe.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\obadiwihe.dll"
// AutoRun:"net",""C:\WINDOWS\system32\net.net"","flagifnofile=1"
AutoRun:"net","<$SYSDIR>\net.net","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","net"
// File:"<$FILE_EXE>",""C:\WINDOWS\system32\net.net""
File:"<$FILE_DATA>","<$SYSDIR>\net.net"
// AutoRun:"nupuyotuwe","Rundll32.exe "mefukibo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\mefukibo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nupuyotuwe"
// File:"<$FILE_EXE>","Rundll32.exe "mefukibo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mefukibo.dll"
// AutoRun:"zedorabise","Rundll32.exe "C:\WINDOWS\system32\hemeketu.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\hemeketu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","zedorabise"
// File:"<$FILE_EXE>","Rundll32.exe "C:\WINDOWS\system32\hemeketu.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hemeketu.dll"
// AutoRun:"tefufukuko","Rundll32.exe "lijohoyo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\lijohoyo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tefufukuko"
// File:"<$FILE_EXE>","Rundll32.exe "lijohoyo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lijohoyo.dll"
// AutoRun:"fohuwosoya","Rundll32.exe "tatunulo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\tatunulo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fohuwosoya"
// File:"<$FILE_EXE>","Rundll32.exe "tatunulo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tatunulo.dll"
// AutoRun:"memisunuju","Rundll32.exe "dupekayi.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\dupekayi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","memisunuju"
// File:"<$FILE_EXE>","Rundll32.exe "dupekayi.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dupekayi.dll"
// AutoRun:"ddaxvssys","rundll32.exe "ssrspq.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\ssrspq.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ddaxvssys"
// File:"<$FILE_EXE>","rundll32.exe "ssrspq.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssrspq.dll"
// AutoRun:"qonmnndrv","rundll32.exe "efdawx.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\efdawx.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","qonmnndrv"
// File:"<$FILE_EXE>","rundll32.exe "efdawx.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\efdawx.dll"
// AutoRun:"fcccyvdrv","rundll32.exe "awtssr.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\awtssr.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fcccyvdrv"
// File:"<$FILE_EXE>","rundll32.exe "awtssr.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\awtssr.dll"
// AutoRun:"mlkiifsys","rundll32.exe "opqnlj.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\opqnlj.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","mlkiifsys"
// File:"<$FILE_EXE>","rundll32.exe "opqnlj.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\opqnlj.dll"
// AutoRun:"Bykrzoq","rundll32 "c:\users\alex\appdata\roaming\srwmib.dll",Bgaiyoem","flagifnofile=1"
AutoRun:"*","<$APPDATA>\roaming\srwmib.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Bykrzoq"
// File:"<$FILE_EXE>","rundll32 "c:\users\alex\appdata\roaming\srwmib.dll",Bgaiyoem"
File:"<$FILE_LIBRARY>","<$APPDATA>\roaming\srwmib.dll"
AutoRun:"*","<$LOCALAPPDATA>\sheriat.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Whacop"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\sheriat.dll"
AutoRun:"*","<$LOCALAPPDATA>\idocavalegacu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Jmehavinasowovon"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\idocavalegacu.dll"
AutoRun:"*","<$WINDIR>\wapict32.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Gxidap"
File:"<$FILE_LIBRARY>","<$WINDIR>\wapict32.dll"
AutoRun:"*","<$WINDIR>\kbdoen.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Xfeced"
File:"<$FILE_LIBRARY>","<$WINDIR>\kbdoen.dll"
AutoRun:"*","<$WINDIR>\dsxletl.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Jfatali"
File:"<$FILE_LIBRARY>","<$WINDIR>\dsxletl.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","gukinema.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gukinema.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vihobuwu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vihobuwu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","kolubagu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kolubagu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vipukeyu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vipukeyu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","gedogeye.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gedogeye.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","yadebene.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yadebene.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\marokeru.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\marokeru.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","guhogeku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\guhogeku.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dskquota32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dskquota32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","hupekepo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hupekepo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","vuvomete.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vuvomete.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","permchk32","DllName=permchk32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\permchk32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","yayawxu","DllName=yayawxu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yayawxu.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","wvUnMdDu","DllName=wvUnMdDu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wvUnMdDu.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","nnnllLFW","DllName=nnnllLFW.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nnnllLFW.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rusayeluk","rusayeluk={ede8ccba-3e51-42fd-9e86-22ddbca5e3ec}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vipukeyu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yonurefum","yonurefum={ec33251b-ddcd-4fdf-b434-28b02337ccac}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\marokeru.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={ede8ccba-3e51-42fd-9e86-22ddbca5e3ec}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vipukeyu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={ec33251b-ddcd-4fdf-b434-28b02337ccac}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\marokeru.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","<$SYSDIR>\hs78344kjkfd.dll","<$SYSDIR>\hs78344kjkfd.dll={c5bf49a2-94f3-42bd-f434-3604812c8955}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hs78344kjkfd.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kjsfi8sjefiuoshiefyhiusdhfdf","kjsfi8sjefiuoshiefyhiusdhfdf={A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dhw1d.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kjsfi8sjefiuoshiefyhiusdhfdf","kjsfi8sjefiuoshiefyhiusdhfdf={A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pyrb16i.dll"
// Trojan.Virtumonde(2):
// Aus einem DDS Logfile
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\teruvobi\teruvobi.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\fimukoto\fimukoto.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\mukesiwu\mukesiwu.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\gifumuya\gifumuya.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\risozope\risozope.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\lowagaje\lowagaje.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\jakonehu\jakonehu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zepulabe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\romopifo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jadegada.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\opqnlj.dll"
New Malware v107
Reply With Quote