New Malware v111

**Matt** · 2010-05-19, 21:51

I've collected detection rules for the following Malware:

Malware.Fraud.Sysguard
Malware.Mirar.Tango
Security.Microsoft.Windows.RedirectedHosts(3)
Spyware.Spynet
Trojan.Agent(4)
Trojan.FakeAlert.ttam(2)
Trojan.Kreeper
Trojan.Opachki
Trojan.Virtumonde

Category: Trojan

Code:

:: New Malware v111
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-05-19}


// Malware.Fraud.Sysguard:
// mRun: [pdialkdu] C:\Documents and Settings\Dean Palm\Local Settings\Application Data\uiejudlxq\lofkctltssd.exe
// mRun: [mxjawtnj] c:\documents and settings\administrator\local settings\application data\dnncvleqo\fdhgatbtssd.exe
// mRun: [wyykqosy] c:\documents and settings\mom.teachertoy\local settings\application data\vuposuukl\lavrmvntssd.exe
// mRun: [dpwkkbrc] c:\documents and settings\dkrypt\local settings\application data\gsaogxhus\iqdmaddtssd.exe
// uRun: [pdialkdu] C:\Documents and Settings\Dean Palm\Local Settings\Application Data\uiejudlxq\lofkctltssd.exe
// uRun: [mxjawtnj] c:\documents and settings\administrator\local settings\application data\dnncvleqo\fdhgatbtssd.exe
// uRun: [wyykqosy] c:\documents and settings\mom.teachertoy\local settings\application data\vuposuukl\lavrmvntssd.exe
// uRun: [dpwkkbrc] c:\documents and settings\dkrypt\local settings\application data\gsaogxhus\iqdmaddtssd.exe


// Malware.Mirar.Tango:
// Variante von Mirar
// Siehe bitte auch hier: http://www.systemlookup.com/CLSID/70547-c_dll_random_digit.html
BrowserHelperEx:"Tango","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{DD087521-0E98-4BDE-9227-2BA8A82CD9E0}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{DD087520-0E98-4BDE-9227-2BA8A82CD9E0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{DD087521-0E98-4BDE-9227-2BA8A82CD9E0}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\8078.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\c???.dll"


// Security.Microsoft.Windows.RedirectedHosts(1):
// O1 - Hosts: 173.236.107.243 www.google.com
// O1 - Hosts: 173.236.107.243 google.com
// O1 - Hosts: 173.236.107.243 google.com.au
// O1 - Hosts: 173.236.107.243 www.google.com.au
// O1 - Hosts: 173.236.107.243 google.be
// O1 - Hosts: 173.236.107.243 www.google.be
// O1 - Hosts: 173.236.107.243 google.com.br
// O1 - Hosts: 173.236.107.243 www.google.com.br
// O1 - Hosts: 173.236.107.243 google.ca
// O1 - Hosts: 173.236.107.243 www.google.ca
// O1 - Hosts: 173.236.107.243 google.ch
// O1 - Hosts: 173.236.107.243 www.google.ch
// O1 - Hosts: 173.236.107.243 google.de
// O1 - Hosts: 173.236.107.243 www.google.de
// O1 - Hosts: 173.236.107.243 google.dk
// O1 - Hosts: 173.236.107.243 www.google.dk
// O1 - Hosts: 173.236.107.243 google.fr
// O1 - Hosts: 173.236.107.243 www.google.fr
// O1 - Hosts: 173.236.107.243 google.ie
// O1 - Hosts: 173.236.107.243 www.google.ie
// O1 - Hosts: 173.236.107.243 google.it
// O1 - Hosts: 173.236.107.243 www.google.it
// O1 - Hosts: 173.236.107.243 google.co.jp
// O1 - Hosts: 173.236.107.243 www.google.co.jp
// O1 - Hosts: 173.236.107.243 google.nl
// O1 - Hosts: 173.236.107.243 www.google.nl
// O1 - Hosts: 173.236.107.243 google.no
// O1 - Hosts: 173.236.107.243 www.google.no
// O1 - Hosts: 173.236.107.243 google.co.nz
// O1 - Hosts: 173.236.107.243 www.google.co.nz
// O1 - Hosts: 173.236.107.243 google.pl
// O1 - Hosts: 173.236.107.243 www.google.pl
// O1 - Hosts: 173.236.107.243 google.se
// O1 - Hosts: 173.236.107.243 www.google.se
// O1 - Hosts: 173.236.107.243 google.co.uk
// O1 - Hosts: 173.236.107.243 www.google.co.uk
// O1 - Hosts: 173.236.107.243 google.co.za
// O1 - Hosts: 173.236.107.243 www.google.co.za
// O1 - Hosts: 173.236.107.243 www.google-analytics.com
// O1 - Hosts: 173.236.107.243 www.bing.com
// O1 - Hosts: 173.236.107.243 search.yahoo.com
// O1 - Hosts: 173.236.107.243 www.search.yahoo.com
// O1 - Hosts: 173.236.107.243 uk.search.yahoo.com
// O1 - Hosts: 173.236.107.243 ca.search.yahoo.com
// O1 - Hosts: 173.236.107.243 de.search.yahoo.com
// O1 - Hosts: 173.236.107.243 fr.search.yahoo.com
// O1 - Hosts: 173.236.107.243 au.search.yahoo.com


// Security.Microsoft.Windows.RedirectedHosts(2):
// O1 - Hosts: 209.212.147.138 http://www.google.com
// O1 - Hosts: 209.212.147.138 google.com
// O1 - Hosts: 209.212.147.138 google.com.au
// O1 - Hosts: 209.212.147.138 http://www.google.com.au
// O1 - Hosts: 209.212.147.138 google.be
// O1 - Hosts: 209.212.147.138 http://www.google.be
// O1 - Hosts: 209.212.147.138 google.com.br
// O1 - Hosts: 209.212.147.138 http://www.google.com.br
// O1 - Hosts: 209.212.147.138 google.ca
// O1 - Hosts: 209.212.147.138 http://www.google.ca
// O1 - Hosts: 209.212.147.138 google.ch
// O1 - Hosts: 209.212.147.138 http://www.google.ch
// O1 - Hosts: 209.212.147.138 google.de
// O1 - Hosts: 209.212.147.138 http://www.google.de
// O1 - Hosts: 209.212.147.138 google.dk
// O1 - Hosts: 209.212.147.138 http://www.google.dk
// O1 - Hosts: 209.212.147.138 google.fr
// O1 - Hosts: 209.212.147.138 http://www.google.fr
// O1 - Hosts: 209.212.147.138 google.ie
// O1 - Hosts: 209.212.147.138 http://www.google.ie
// O1 - Hosts: 209.212.147.138 google.it
// O1 - Hosts: 209.212.147.138 http://www.google.it
// O1 - Hosts: 209.212.147.138 google.co.jp
// O1 - Hosts: 209.212.147.138 http://www.google.co.jp
// O1 - Hosts: 209.212.147.138 google.nl
// O1 - Hosts: 209.212.147.138 http://www.google.nl
// O1 - Hosts: 209.212.147.138 google.no
// O1 - Hosts: 209.212.147.138 http://www.google.no
// O1 - Hosts: 209.212.147.138 google.co.nz
// O1 - Hosts: 209.212.147.138 http://www.google.co.nz
// O1 - Hosts: 209.212.147.138 google.pl
// O1 - Hosts: 209.212.147.138 http://www.google.pl
// O1 - Hosts: 209.212.147.138 google.se
// O1 - Hosts: 209.212.147.138 http://www.google.se
// O1 - Hosts: 209.212.147.138 google.co.uk
// O1 - Hosts: 209.212.147.138 http://www.google.co.uk
// O1 - Hosts: 209.212.147.138 google.co.za
// O1 - Hosts: 209.212.147.138 http://www.google-analytics.com
// O1 - Hosts: 209.212.147.138 http://www.bing.com
// O1 - Hosts: 209.212.147.138 search.yahoo.com
// O1 - Hosts: 209.212.147.138 http://www.search.yahoo.com
// O1 - Hosts: 209.212.147.138 uk.search.yahoo.com
// O1 - Hosts: 209.212.147.138 ca.search.yahoo.com
// O1 - Hosts: 209.212.147.138 de.search.yahoo.com


// Security.Microsoft.Windows.RedirectedHosts(3):
// O1 - Hosts: 91.212.127.226 winshield2009.microsoft.com
// O1 - Hosts: 91.212.127.226 winshield2009.com
// O1 - Hosts: 91.212.127.226 www.winshield2009.com


// Spyware.Spynet:
// uExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
// mExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
AutoRun:"Policies","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
// AutoRun:"HKLM","c:\windows\system32\winlog\Winlogon.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
// AutoRun:"HKCU","c:\windows\system32\winlog\Winlogon.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDIR>\winlog\Winlogon.exe"


// Trojan.Agent(1):
// AutoRun:"lenscrset","<$SYSDIR>\lenscrset.exe /run","flagifnofile=1"
AutoRun:"lenscrset","<$SYSDIR>\lenscrset.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","lenscrset"
File:"<$FILE_EXE>","<$SYSDIR>\lenscrset.exe"


// Trojan.Agent(2):
AutoRun:"Windows System Guard","<$APPDATA>\egun.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Guard"
File:"<$FILE_EXE>","<$APPDATA>\egun.exe"


// Trojan.Agent(3):
AutoRun:"dll","<$APPDATA>\Roaming\dll\svchost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","dll"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\dll\svchost.exe"
Directory:"<$DIR_PROG>","<$APPDATA>\Roaming\dll","filename=svchost.exe"
AutoRun:"Microsoft Corp","<$LOCALAPPDATA>\Temp\scvhost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Corp"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\scvhost.exe"


// Trojan.Agent(4):
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/22388-gabpath_exe.html
AutoRun:"GabPath","<$APPDATA>\Roaming\GabPath\gabpath.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","GabPath"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\GabPath\gabpath.exe"
Directory:"<$DIR_PROG>","<$APPDATA>\Roaming\GabPath","filename=gabpath.exe"


// Trojan.FakeAlert.ttam(1):
// AutoRun:"svchost","C:\Documents and Settings\Darren\Local Settings\Temp\Rar$EX00.937\svchost","flagifnofile=1"
AutoRun:"svchost","<$LOCALSETTINGS>\Temp\*\svchost","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","svchost"
// File:"<$FILE_EXE>","C:\Documents and Settings\Darren\Local Settings\Temp\Rar$EX00.937\svchost"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\*\svchost"
Directory:"<$DIR_PROG>","<$LOCALSETTINGS>\Temp\*","filename=svchost"


// Trojan.FakeAlert.ttam(2):
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/22389-jnipmo_exe.html
// Name des Autostartes und der Datei sind fest!
AutoRun:"SfKg6wIPuSp","<$APPDATA>\Roaming\Microsoft\Windows\jnipmo.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SfKg6wIPuSp"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\Microsoft\Windows\jnipmo.exe"


// Trojan.Kreeper:
// Siehe bitte auch hier: http://www.threatexpert.com/report.aspx?md5=3043dfb8ff7f21bd3be945a210e461da
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","SlysBitch"
AutoRun:"WinDefence32","<$APPDATA>\roaming\windefence\windefence32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinDefence32"
File:"<$FILE_EXE>","<$APPDATA>\roaming\windefence\windefence32.exe"
Directory:"<$DIR_PROG>","<$APPDATA>\roaming\windefence","filename=windefence32.exe"


// Trojan.Opachki:
// AutoRun:"notepad","rundll32.exe C:\Users\Sornas\ntload.dll,_NtLoad@0","flagifnofile=1"
AutoRun:"notepad","<$PROFILE>\ntload.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","notepad"
// File:"<$FILE_EXE>","rundll32.exe C:\Users\Sornas\ntload.dll,_NtLoad@0"
File:"<$FILE_LIBRARY>","<$PROFILE>\ntload.dll"


// Trojan.Virtumonde:
// AutoRun:"Oqawokiqo","rundll32.exe "c:\windows\shabdl.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\shabdl.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Oqawokiqo"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\shabdl.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\shabdl.dll"

// AutoRun:"Wnezosareve","rundll32.exe "c:\windows\ulonifij.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ulonifij.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Wnezosareve"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\ulonifij.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ulonifij.dll"

// AutoRun:"Gjemolaxay","rundll32.exe "c:\windows\uxibesidacibiso.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\uxibesidacibiso.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Gjemolaxay"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\uxibesidacibiso.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\uxibesidacibiso.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sesimuvi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sesimuvi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","siruguhu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\siruguhu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ramuzovi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ramuzovi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ hajiruno.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ hajiruno.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","buhuzopo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\buhuzopo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dpvoice32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpvoice32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","kekovate.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\kekovate.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bojoyohuy","bojoyohuy={b3ca9d7c-00e1-4063-8a47-adf4ce3b22e6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sesimuvi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","riyireheh","riyireheh={ee02cce7-609d-4cb2-b392-29f526f67a5d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ramuzovi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vedavozup","vedavozup={ec2d8a74-090c-4301-9444-420482dfdbad}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\walikahe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={b3ca9d7c-00e1-4063-8a47-adf4ce3b22e6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sesimuvi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={ee02cce7-609d-4cb2-b392-29f526f67a5d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ramuzovi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={ec2d8a74-090c-4301-9444-420482dfdbad}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\walikahe.dll"

Downloads: 0	Rating: 5 (rated by 1 user)

**TwistedMike** · 2011-03-21, 17:02

in the code that you have given it appears that the users would have to input there user name

Code:

// mRun: [pdialkdu] C:\Documents and Settings\Dean Palm\Local Settings\Application Data\uiejudlxq\lofkctltssd.exe

wouldn't it be easier just to use %appdata% then you could continue with the rest of the line \uiejudlxq\lofkctltssd.exe it would make it smaller and make it so people could use it right away but thats only my opinion on that.

**Matt** · 2011-03-25, 10:18

Originally Posted by TwistedMike

...
wouldn't it be easier just to use %appdata% then you could continue with the rest of the line \uiejudlxq\lofkctltssd.exe it would make it smaller and make it so people could use it right away but thats only my opinion on that.

I am aware of that...

The "problem" about this kind of Malware is that the folder uiejudlxq for example is random, like the part lofkctl in lofkctltssd.exe as well.

Without more detailed information (filesize, md5, etc.) , it doesn't make much sense to create some detection rules.
As a conclusion, I didn't create a detection rule which you can see because of the "//" at the beginnging of these lines.

Thank you for your well-intentioned suggestion, but I don't understand why you answer to a post which is almost one year old.

**lewisje** · 2011-05-09, 02:21

I'd personally like to know where these OpenSBI files are and how to integrate them into Spybot - Search & Destroy.

**PepiMK** · 2011-05-11, 12:20

These files are here - click the Download link below the text above (at least those SBI items that are flagged as reviewed by enough people have that link).
Save them to the Includes\ folder within your Spybot folder, and they can be used from within Spybot (can be enabled on Filesets page).

**lewisje** · 2011-05-13, 09:29

Originally Posted by PepiMK

These files are here - click the Download link below the text above (at least those SBI items that are flagged as reviewed by enough people have that link).
Save them to the Includes\ folder within your Spybot folder, and they can be used from within Spybot (can be enabled on Filesets page).

I don't see a download link, just a set of plain-text embedded within the code tags, and for the newer OpenSBI files there is no way for me to even see them.

I will still make text-files out of the available ones and save them to my Includes directory

Thread: New Malware v111

Thread Tools

Display

Hybrid View

New Malware v111

Posting Permissions