New Malware v108

**Matt** · 2010-05-09, 22:08

I've collected detection rules for the following Malware:

Adware.E2Give
Malware.Fraud.DataProtection
Malware.Fraud.DesktopSecurity2010
Malware.Fraud.FastAntivirus
Malware.Fraud.Unknown
Rootkit.Unknown
Spyware.AdRotator
Spyware.Spynet(2)
Trojan.Agent(4)
Trojan.Banker
Trojan.FakeAlert.ttam(4)
Trojan.Fraudpack(2)
Trojan.Rbot
Trojan.Virtumonde(4)

Category: Trojan

SBI file status: marked as dangerous by user daemon

Code:

:: New Malware v108
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-05-08}


// Adware.E2Give:
// Siehe auch hier: http://www.systemlookup.com/CLSID/42945-IeBHO_dll_IeBHOs_dll.html
BrowserHelperEx:"CControl Object","filename=IeBHOs.dll"
BrowserHelperEx:"CControl Object","filename=IeBHO.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{3643abc2-21bf-46b9-b230-f247db0c6fd6}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{3643abc2-21bf-46b9-b230-f247db0c6fd6}"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","PTech"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","E2G"
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\AppID\","{3B99F202-145A-4E5A-AC7B-88A36910BF5E}"
RegyKey:"<$REG_SETTINGS>",HKEY_CLASSES_ROOT,"\AppID\","IeBHOs.DLL"
RegyKey:"<$REG_SETTINGS>",HKEY_CLASSES_ROOT,"\","IeBHOs.Control.1"
RegyKey:"<$REG_SETTINGS>",HKEY_CLASSES_ROOT,"\","IeBHOs.Control"
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\TypeLib\","{3B99F202-145A-4E5A-AC7B-88A36910BF5E}"
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}"
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{4A5B0528-1EE4-4871-8546-AB34DF31E861}"
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{4A5B0D43-13BE-4B7C-820E-660CED71CDBF}"
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{4A5B482D-E087-43C9-8FD6-0F36510CF2B9}"
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{4A5ADB4F-48EE-4840-8DAB-166A239F7E86}"
RegyKey:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","e2g Plugin"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\e2g\IeBHOs.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\e2g\IeBHO.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\e2g"


// Malware.Fraud.DataProtection:
// Dieses Rogue deaktiviert den TaskManager !!
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = "1"
// Zudem erzeugt es registry Einträge von anderen, bekannten Rogues und sich selbst !!
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","Malware Defense"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","Paladin Antivirus"
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{5E2121EE-0300-11D4-8D3B-444553540000}"
RegyKey:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\","{5E2121EE-0300-11D4-8D3B-444553540000}"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","Data Protection"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","Malware Defense"
RegyKey:"<$REG_UNINSTALL>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","Data Protection"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","Paladin Antivirus"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","Program Groups"
// Ferner erstellt das Rogue folgende Dateien und Ordner:
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\fiosejgfse.dll"
File:"<$FILE_DATA>","<$LOCALSETTINGS>\Temp\4otjesjty.mof"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\MSWINSCK.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\wscsvc32.exe"
File:"<$FILE_LINK>","<$QUICKLAUNCH>\Data Protection.lnk"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Data Protection Support.lnk"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Data Protection.lnk"
// %UserProfile%\Desktop\spam001.exe
// %UserProfile%\Desktop\spam002.exe
// %UserProfile%\Desktop\spam003.exe
File:"<$FILE_EXE>","<$DESKTOP>\spam???.exe"
// %UserProfile%\Desktop\troj000.exe
File:"<$FILE_EXE>","<$DESKTOP>\troj???.exe"
Directory:"<$DIR_PROG>","<$PROGRAMS>\Data Protection"
File:"<$FILE_LINK>","<$PROGRAMS>\Data Protection\About.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Data Protection\Activate.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Data Protection\Buy.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Data Protection\Data Protection Support.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Data Protection\Data Protection.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Data Protection\Scan.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Data Protection\Settings.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Data Protection\Update.lnk"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Data Protection"
AutoRun:"Data Protection","<$PROGRAMFILES>\Data Protection\datprot.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Data Protection"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Data Protection\datprot.exe"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Data Protection\about.ico"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Data Protection\activate.ico"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Data Protection\buy.ico"
File:"<$FILE_DATA>","<$PROGRAMFILES>\Data Protection\dat.db"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Data Protection\datext.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Data Protection\dathook.dll"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Data Protection\help.ico"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Data Protection\scan.ico"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Data Protection\settings.ico"
File:"<$FILE_SOUND>","<$PROGRAMFILES>\Data Protection\splash.mp3"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Data Protection\Uninstall.exe"
File:"<$FILE_PICTURE>","<$PROGRAMFILES>\Data Protection\update.ico"
File:"<$FILE_SOUND>","<$PROGRAMFILES>\Data Protection\virus.mp3"


// Malware.Fraud.DesktopSecurity2010:
// AutoRun:"h6vtn5uswnoa","c:\documents and settings\alison\local settings\temp\m.2A.tmp.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\temp\?.??.tmp.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","h6vtn5uswnoa"
// File:"<$FILE_EXE>","c:\documents and settings\alison\local settings\temp\m.2A.tmp.exe"

// AutoRun:"Desktop Security 2010",""c:\documents and settings\alison\application data\desktop security 2010\Desktop Security 2010.exe" /STARTUP","flagifnofile=1"
AutoRun:"Desktop Security 2010","<$APPDATA>\desktop security 2010\Desktop Security 2010.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Desktop Security 2010"
// File:"<$FILE_EXE>",""c:\documents and settings\alison\application data\desktop security 2010\Desktop Security 2010.exe" /STARTUP"
File:"<$FILE_EXE>","<$APPDATA>\desktop security 2010\Desktop Security 2010.exe"

// AutoRun:"SecurityCenter","c:\documents and settings\alison\application data\desktop security 2010\securitycenter.exe","flagifnofile=1"
AutoRun:"SecurityCenter","<$APPDATA>\desktop security 2010\securitycenter.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SecurityCenter"
// File:"<$FILE_EXE>","c:\documents and settings\alison\application data\desktop security 2010\securitycenter.exe"
File:"<$FILE_EXE>","<$APPDATA>\desktop security 2010\securitycenter.exe"


// Malware.Fraud.FastAntivirus:
// Deaktiviert den Taskmanager !!
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","A-fast"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\","<$PROGRAMFILES>\A-fast\A-fast.exe"
AutoRun:"fast","<$PROGRAMFILES>\A-fast\A-fast.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","fast"
File:"<$FILE_EXE>","<$PROGRAMFILES>\A-fast\A-fast.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\A-fast"


// Malware.Fraud.Unknown:
// Weiß nicht mehr, wie dieses Rogue bei euch heißt; schau mal, dass du samples herbekommst und eure Regeln updatest!
AutoRun:"91679941","C:\DOCUME~1\ALLUSE~1\APPLIC~1\91679941\91679941.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","91679941"
File:"<$FILE_EXE>","C:\DOCUME~1\ALLUSE~1\APPLIC~1\91679941\91679941.exe"
AutoRun:"19111215","C:\Documents and Settings\All Users\Application Data\19111215\19111215.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","19111215"
File:"<$FILE_EXE>","C:\Documents and Settings\All Users\Application Data\19111215\19111215.exe"


// Rootkit.Unknown:
// Aus einem GMER logfile:
// ---- Services - GMER 1.0.15 ----
// Service (*** hidden *** ) PRAGMAvstiwuycye <-- ROOTKIT !!!
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c67ed041
// Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstiwuycye
// Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0010c67ed041 (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstiwuycye (not active ControlSet)
// ---- EOF - GMER 1.0.15 ----


// Spyware.AdRotator:
BrowserHelperEx:"profitmuse","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a3dbafa7-67c5-e082-6dbb-eb87405b645d}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a3dbafa7-67c5-e082-6dbb-eb87405b645d}"

BrowserHelperEx:"flvdome","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{f1995d3d-bcaa-f0be-d0ba-1417877f5eff}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{f1995d3d-bcaa-f0be-d0ba-1417877f5eff}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fy3n-6B0.dll"


// Spyware.Spynet(1):
AutoRun:"Policies","<$SYSDIR>\syslog\trendmicro.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\syslog\trendmicro.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\syslog\trendmicro.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDIR>\syslog\trendmicro.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\syslog","filename=trendmicro.exe"


// Spyware.Spynet(2):
AutoRun:"Policies","<$APPDATA>\Roaming\Winbooterr\svchost.exe","flagifnofile=1"
AutoRun:"HKLM","<$APPDATA>\Roaming\Winbooterr\svchost.exe","flagifnofile=1"
AutoRun:"HKCU","<$APPDATA>\Roaming\Winbooterr\svchost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\Winbooterr\svchost.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Roaming\Winbooterr","filename=svchost.exe"


// Trojan.Agent(1):
BrowserHelperEx:"*","filename=iashlpr32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00c6fa66-5405-44d1-ba9d-62dea00b71dd}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00c6fa66-5405-44d1-ba9d-62dea00b71dd}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iashlpr32.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\iashlpr32.dll"


// Trojan.Agent(2):
AutoRun:"winpro","<$SYSDIR>\winpro.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winpro"
File:"<$FILE_EXE>","<$SYSDIR>\winpro.exe"


// Trojan.Agent(3):
AutoRun:"WindowsSystemGuard","<$PROFILE>\winsvcn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WindowsSystemGuard"
File:"<$FILE_EXE>","<$PROFILE>\winsvcn.exe"


// Trojan.Agent(4):
AutoRun:"hsf87efjhdsf87f3jfsdi7fhsujfd","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf87efjhdsf87f3jfsdi7fhsujfd"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\cmd.exe"


// Trojan.Banker:
BrowserHelperEx:"*","filename=iebho0B.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D032570A-5F63-4812-A094-87D007C23012}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D032570A-5F63-4812-A094-87D007C23012}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iebho0B.dll"


// Trojan.FakeAlert.ttam(1):
// Sowas ähnliches habt ihr schon mal aufgenommen; bitte um Kontrolle bezüglich Dateigröße und md5
// Wenn mich nicht alles täuscht, haben andere Varianten dieses Trojaners dieselbe Dateigröße gehabt; du müsstest du mal kontrollieren
// http://www.superantispyware.com/malwarefiles/PGSB.LTO.html
// http://www.virustotal.com/analisis/9c9ccc069cec443e8e00776083ab3c261a1e5b0d72e3ef58d7b215e7e1210597-1273194363
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe pgsb.lto csxyfxr"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","pgsb.lto *"
File:"<$FILE_DATA>","<$SYSDIR>\pgsb.lto","filesize=20992,md5=45edb4bed0a175bbe822d8bbbe0d8cb3"


// Trojan.FakeAlert.ttam(2):
AutoRun:"*","<$LOCALSETTINGS>\Temp\lcibai.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","22686"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\lcibai.exe"


// Trojan.FakeAlert.ttam(3):
// AutoRun:"ewrgetuj","C:\DOCUME~1\AMARCE~1\LOCALS~1\Temp\geurge.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\geurge.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ewrgetuj"
// File:"<$FILE_EXE>","C:\DOCUME~1\AMARCE~1\LOCALS~1\Temp\geurge.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\geurge.exe"


// Trojan.FakeAlert.ttam(4):
// Einfach mal das sample in der Datenbank hervorholen und dann aufnehmen :-)
// AutoRun:"bO²ùð%26×y-¯Œ","c:\windows\wfoyf.exe","flagifnofile=1"
// AutoRun:"bO²ùõö/‚E%)ßfÏNbÑ¾c:\program files\istsvc\istsvc.exe","c:\windows\wfoyf.exe","flagifnofile=1"
// AutoRun:"bO²ùõö/‚E%)ßfÏNb½¾c:\program files\istsvc\istsvc.exe","c:\windows\wfoyf.exe","flagifnofile=1"
// AutoRun:"bO²ùð-×y-¯Œ","c:\windows\wfoyf.exe","flagifnofile=1"
// AutoRun:"gLBA5BP","c:\windows\wfoyf.exe","flagifnofile=1"
// AutoRun:"bO²ùðZ×y-¯Œ","c:\windows\wfoyf.exe","flagifnofile=1"
AutoRun:"*","<$WINDIR>\wfoyf.exe","flagifnofile=0"


// Trojan.Fraudpack(1):
// AutoRun:"M5T8QL3YW3","F:\DOKUME~1\ANNAHE~1\LOKALE~1\Temp\Dsz.exe","flagifnofile=1"
// AutoRun:"M5T8QL3YW3","C:\DOKUME~1\Admin\LOKALE~1\Temp\Qqr.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
// AutoRun:"M5T8QL3YW3","C:\Users\AuVergne\AppData\Local\Temp\Xtl.exe","flagifnofile=1"
// AutoRun:"M5T8QL3YW3","D:\Users\***\AppData\Local\Temp\Vbr.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$WINDIR>\Temp\*.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$WINDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","M5T8QL3YW3"
// File:"<$FILE_EXE>","F:\DOKUME~1\ANNAHE~1\LOKALE~1\Temp\Dsz.exe"
// File:"<$FILE_EXE>","C:\DOKUME~1\Admin\LOKALE~1\Temp\Qqr.exe"
// File:"<$FILE_EXE>","C:\Users\AuVergne\AppData\Local\Temp\Xtl.exe"
// File:"<$FILE_EXE>","D:\Users\***\AppData\Local\Temp\Vbr.exe"


// Trojan.Fraudpack(2):
AutoRun:"QZAIB7KITK","<$WINDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","QZAIB7KITK"
File:"<$FILE_EXE>","<$WINDIR>\Dliqab.exe"
AutoRun:"QZAIB7KITK","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
AutoRun:"QZAIB7KITK","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
AutoRun:"QZAIB7KITK","<$WINDIR>\Temp\*.exe","flagifnofile=1"
// AutoRun:"Canaveral","rundll32.exe D:\Windows\system32\sshnas21.dll,BackupReadW","flagifnofile=1"
AutoRun:"Canaveral","<$SYSDIR>\sshnas21.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Canaveral"
// File:"<$FILE_EXE>","rundll32.exe D:\Windows\system32\sshnas21.dll,BackupReadW"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sshnas21.dll"


// Trojan.Rbot:
// Alle vier aus einem Logfile
AutoRun:"Windows Insecure","<$SYSDIR>\Clock.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Insecure"
File:"<$FILE_EXE>","<$SYSDIR>\Clock.exe"

AutoRun:"Internets","<$SYSDIR>\WinSec.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Internets"
File:"<$FILE_EXE>","<$SYSDIR>\WinSec.exe"

AutoRun:"Windows Update","<$SYSDIR>\ssms.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update"
File:"<$FILE_EXE>","<$SYSDIR>\ssms.exe"

AutoRun:"Microsoft Driver Setup","<$SYSDIR>\Instmiv.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Driver Setup"
File:"<$FILE_EXE>","<$SYSDIR>\Instmiv.exe"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=eijned.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\eijned.dll"

// AutoRun:"vuyiwizoso","Rundll32.exe "C:\WINDOWS\system32\wisegava.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\wisegava.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vuyiwizoso"
// File:"<$FILE_EXE>","Rundll32.exe "C:\WINDOWS\system32\wisegava.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wisegava.dll"

// AutoRun:"Knibelisuzoger","rundll32.exe "C:\WINDOWS\unatubet.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\unatubet.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Knibelisuzoger"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\unatubet.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\unatubet.dll"

// AutoRun:"gohasilipa","Rundll32.exe "heyejopo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\heyejopo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","gohasilipa"
// File:"<$FILE_EXE>","Rundll32.exe "heyejopo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\heyejopo.dll"

// AutoRun:"hgfffdsys","rundll32.exe "kheeda.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\kheeda.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","hgfffdsys"
// File:"<$FILE_EXE>","rundll32.exe "kheeda.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kheeda.dll"

// AutoRun:"yaayaxdrv","rundll32.exe "pmkiih.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\pmkiih.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","yaayaxdrv"
// File:"<$FILE_EXE>","rundll32.exe "pmkiih.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pmkiih.dll"

// AutoRun:"Cxayicitaq","rundll32.exe "c:\windows\agarabul.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\agarabul.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cxayicitaq"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\agarabul.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\agarabul.dll"

// AutoRun:"awutqqsys","rundll32.exe "qommmj.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\qommmj.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","awutqqsys"
// File:"<$FILE_EXE>","rundll32.exe "qommmj.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qommmj.dll"

// AutoRun:"Cvazecof","rundll32.exe "C:\WINDOWS\covblg.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\covblg.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cvazecof"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\covblg.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\covblg.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\d3d832.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3d832.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","xnxyxe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xnxyxe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","rurafele.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rurafele.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","iniwin32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iniwin32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\d3dim70032.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3dim70032.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dxtrans32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dxtrans32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","48001fae879","DllName=<$SYSDIR>\d3dim70032.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3dim70032.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","9cb6358f891","DllName=<$SYSDIR>\dxtrans32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dxtrans32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","fccdbYOf","DllName=fccdbYOf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fccdbYOf.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","nnnljiJa","DllName=<$SYSDIR>\nnnljiJa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nnnljiJa.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","yaywwXPj","DllName=<$SYSDIR>\yaywwXPj.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yaywwXPj.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","jkklLeca","DllName=<$SYSDIR>\jkklLeca.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkklLeca.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","fccaWnlI","DllName=fccaWnlI.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fccaWnlI.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kjsfi8sjefiuoshiefyhiusdhfdf","kjsfi8sjefiuoshiefyhiusdhfdf={A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\eijned.dll"


// Trojan.Virtumonde(2):
// Aus einem DDS Logfile
File:"<$FILE_LIBRARY>","<$SYSDIR>\tuttqo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rqrrqn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssrron.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kheeda.dll"


// Trojan.Virtumonde(3):
// Aus einem DDS Logfile
File:"<$FILE_EXE>","<$SYSDIR>\hosemuvu.exe"
File:"<$FILE_EXE>","<$SYSDIR>\vilororu.exe"
File:"<$FILE_EXE>","<$SYSDIR>\turepare.exe"
File:"<$FILE_EXE>","<$SYSDIR>\pinapuwe.exe"
File:"<$FILE_EXE>","<$SYSDIR>\sehuwuri.exe"
File:"<$FILE_EXE>","<$SYSDIR>\junovedo.exe"
File:"<$FILE_EXE>","<$SYSDIR>\wevetora.exe"
File:"<$FILE_EXE>","<$SYSDIR>\powirimu.exe"
File:"<$FILE_EXE>","<$SYSDIR>\guteduju.exe"
File:"<$FILE_EXE>","<$SYSDIR>\wiwifezi.exe"


// Trojan.Virtumonde(4):
// Alles aus einem DDS Logfile !!
File:"<$FILE_EXE>","<$SYSDIR>\zeyejiwo.exe"
File:"<$FILE_EXE>","<$SYSDIR>\rohidoto.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\juliyowe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gurufufe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\huwanuta.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\holapoza.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tikanalo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rajaloga.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dajofini.dll"
File:"<$FILE_EXE>","<$SYSDIR>\tahuhure.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hutijezu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\reboyuti.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\badaliyo.dll"
File:"<$FILE_EXE>","<$SYSDIR>\bakivige.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bawujupu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bazabezi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\davotudo.dll"
File:"<$FILE_EXE>","<$SYSDIR>\falutehu.exe"
File:"<$FILE_EXE>","<$SYSDIR>\fidezeta.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fodudoto.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fokitape.dll"
File:"<$FILE_EXE>","<$SYSDIR>\fudutawo.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fujegifu.dll"
File:"<$FILE_EXE>","<$SYSDIR>\fukigeha.exe"
File:"<$FILE_EXE>","<$SYSDIR>\fumugatu.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gayudida.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\givolitu.dll"
File:"<$FILE_EXE>","<$SYSDIR>\guvodudi.exe"
File:"<$FILE_EXE>","<$SYSDIR>\hajirifi.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiheteki.dll"
File:"<$FILE_EXE>","<$SYSDIR>\humoyofa.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hunazazi.dll"
File:"<$FILE_EXE>","<$SYSDIR>\jeyuteza.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jilosuka.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kavumefe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kesibahi.dll"
File:"<$FILE_EXE>","<$SYSDIR>\kuyivoyo.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\limeruyi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ludiyofu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lujeroya.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mahogiwe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pofutuva.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\poliwape.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\reposoku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ripojopo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rupolefa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sawetuna.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sayivoni.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\setakonu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\silohuru.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sovapeha.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tayijobu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tezezubu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tiguwoli.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tukideka.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tumuwaku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tuvabebo.dll"
File:"<$FILE_EXE>","<$SYSDIR>\tuzajada.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vajapaso.dll"
File:"<$FILE_EXE>","<$SYSDIR>\vajozesi.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vopereso.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vumeburi.dll"
File:"<$FILE_EXE>","<$SYSDIR>\wavepegi.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\werolime.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winasara.dll"
File:"<$FILE_EXE>","<$SYSDIR>\wisasudi.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wojotobo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yakiwafo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yegofoju.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yigiwopa.dll"
File:"<$FILE_EXE>","<$SYSDIR>\yitofoyi.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yokavubo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yuheduzo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zafewale.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zajasuvu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zazokiya.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zemupalu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zenemure.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zifisehe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zitajalu.dll"

Downloads: 0	Rating: 0 (rated by 0 users)

**daemon** · 2011-05-30, 09:42

According to this post this SBI files causes a false positive with the ATI Catalyst Control Center.

daemon

Thread: New Malware v108

Thread Tools

Display

Hybrid View

New Malware v108

Posting Permissions