Code:
:: New Malware v111
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-05-19}
// Malware.Fraud.Sysguard:
// mRun: [pdialkdu] C:\Documents and Settings\Dean Palm\Local Settings\Application Data\uiejudlxq\lofkctltssd.exe
// mRun: [mxjawtnj] c:\documents and settings\administrator\local settings\application data\dnncvleqo\fdhgatbtssd.exe
// mRun: [wyykqosy] c:\documents and settings\mom.teachertoy\local settings\application data\vuposuukl\lavrmvntssd.exe
// mRun: [dpwkkbrc] c:\documents and settings\dkrypt\local settings\application data\gsaogxhus\iqdmaddtssd.exe
// uRun: [pdialkdu] C:\Documents and Settings\Dean Palm\Local Settings\Application Data\uiejudlxq\lofkctltssd.exe
// uRun: [mxjawtnj] c:\documents and settings\administrator\local settings\application data\dnncvleqo\fdhgatbtssd.exe
// uRun: [wyykqosy] c:\documents and settings\mom.teachertoy\local settings\application data\vuposuukl\lavrmvntssd.exe
// uRun: [dpwkkbrc] c:\documents and settings\dkrypt\local settings\application data\gsaogxhus\iqdmaddtssd.exe
// Malware.Mirar.Tango:
// Variante von Mirar
// Siehe bitte auch hier: http://www.systemlookup.com/CLSID/70547-c_dll_random_digit.html
BrowserHelperEx:"Tango","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{DD087521-0E98-4BDE-9227-2BA8A82CD9E0}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{DD087520-0E98-4BDE-9227-2BA8A82CD9E0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{DD087521-0E98-4BDE-9227-2BA8A82CD9E0}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\8078.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\c???.dll"
// Security.Microsoft.Windows.RedirectedHosts(1):
// O1 - Hosts: 173.236.107.243 www.google.com
// O1 - Hosts: 173.236.107.243 google.com
// O1 - Hosts: 173.236.107.243 google.com.au
// O1 - Hosts: 173.236.107.243 www.google.com.au
// O1 - Hosts: 173.236.107.243 google.be
// O1 - Hosts: 173.236.107.243 www.google.be
// O1 - Hosts: 173.236.107.243 google.com.br
// O1 - Hosts: 173.236.107.243 www.google.com.br
// O1 - Hosts: 173.236.107.243 google.ca
// O1 - Hosts: 173.236.107.243 www.google.ca
// O1 - Hosts: 173.236.107.243 google.ch
// O1 - Hosts: 173.236.107.243 www.google.ch
// O1 - Hosts: 173.236.107.243 google.de
// O1 - Hosts: 173.236.107.243 www.google.de
// O1 - Hosts: 173.236.107.243 google.dk
// O1 - Hosts: 173.236.107.243 www.google.dk
// O1 - Hosts: 173.236.107.243 google.fr
// O1 - Hosts: 173.236.107.243 www.google.fr
// O1 - Hosts: 173.236.107.243 google.ie
// O1 - Hosts: 173.236.107.243 www.google.ie
// O1 - Hosts: 173.236.107.243 google.it
// O1 - Hosts: 173.236.107.243 www.google.it
// O1 - Hosts: 173.236.107.243 google.co.jp
// O1 - Hosts: 173.236.107.243 www.google.co.jp
// O1 - Hosts: 173.236.107.243 google.nl
// O1 - Hosts: 173.236.107.243 www.google.nl
// O1 - Hosts: 173.236.107.243 google.no
// O1 - Hosts: 173.236.107.243 www.google.no
// O1 - Hosts: 173.236.107.243 google.co.nz
// O1 - Hosts: 173.236.107.243 www.google.co.nz
// O1 - Hosts: 173.236.107.243 google.pl
// O1 - Hosts: 173.236.107.243 www.google.pl
// O1 - Hosts: 173.236.107.243 google.se
// O1 - Hosts: 173.236.107.243 www.google.se
// O1 - Hosts: 173.236.107.243 google.co.uk
// O1 - Hosts: 173.236.107.243 www.google.co.uk
// O1 - Hosts: 173.236.107.243 google.co.za
// O1 - Hosts: 173.236.107.243 www.google.co.za
// O1 - Hosts: 173.236.107.243 www.google-analytics.com
// O1 - Hosts: 173.236.107.243 www.bing.com
// O1 - Hosts: 173.236.107.243 search.yahoo.com
// O1 - Hosts: 173.236.107.243 www.search.yahoo.com
// O1 - Hosts: 173.236.107.243 uk.search.yahoo.com
// O1 - Hosts: 173.236.107.243 ca.search.yahoo.com
// O1 - Hosts: 173.236.107.243 de.search.yahoo.com
// O1 - Hosts: 173.236.107.243 fr.search.yahoo.com
// O1 - Hosts: 173.236.107.243 au.search.yahoo.com
// Security.Microsoft.Windows.RedirectedHosts(2):
// O1 - Hosts: 209.212.147.138 http://www.google.com
// O1 - Hosts: 209.212.147.138 google.com
// O1 - Hosts: 209.212.147.138 google.com.au
// O1 - Hosts: 209.212.147.138 http://www.google.com.au
// O1 - Hosts: 209.212.147.138 google.be
// O1 - Hosts: 209.212.147.138 http://www.google.be
// O1 - Hosts: 209.212.147.138 google.com.br
// O1 - Hosts: 209.212.147.138 http://www.google.com.br
// O1 - Hosts: 209.212.147.138 google.ca
// O1 - Hosts: 209.212.147.138 http://www.google.ca
// O1 - Hosts: 209.212.147.138 google.ch
// O1 - Hosts: 209.212.147.138 http://www.google.ch
// O1 - Hosts: 209.212.147.138 google.de
// O1 - Hosts: 209.212.147.138 http://www.google.de
// O1 - Hosts: 209.212.147.138 google.dk
// O1 - Hosts: 209.212.147.138 http://www.google.dk
// O1 - Hosts: 209.212.147.138 google.fr
// O1 - Hosts: 209.212.147.138 http://www.google.fr
// O1 - Hosts: 209.212.147.138 google.ie
// O1 - Hosts: 209.212.147.138 http://www.google.ie
// O1 - Hosts: 209.212.147.138 google.it
// O1 - Hosts: 209.212.147.138 http://www.google.it
// O1 - Hosts: 209.212.147.138 google.co.jp
// O1 - Hosts: 209.212.147.138 http://www.google.co.jp
// O1 - Hosts: 209.212.147.138 google.nl
// O1 - Hosts: 209.212.147.138 http://www.google.nl
// O1 - Hosts: 209.212.147.138 google.no
// O1 - Hosts: 209.212.147.138 http://www.google.no
// O1 - Hosts: 209.212.147.138 google.co.nz
// O1 - Hosts: 209.212.147.138 http://www.google.co.nz
// O1 - Hosts: 209.212.147.138 google.pl
// O1 - Hosts: 209.212.147.138 http://www.google.pl
// O1 - Hosts: 209.212.147.138 google.se
// O1 - Hosts: 209.212.147.138 http://www.google.se
// O1 - Hosts: 209.212.147.138 google.co.uk
// O1 - Hosts: 209.212.147.138 http://www.google.co.uk
// O1 - Hosts: 209.212.147.138 google.co.za
// O1 - Hosts: 209.212.147.138 http://www.google-analytics.com
// O1 - Hosts: 209.212.147.138 http://www.bing.com
// O1 - Hosts: 209.212.147.138 search.yahoo.com
// O1 - Hosts: 209.212.147.138 http://www.search.yahoo.com
// O1 - Hosts: 209.212.147.138 uk.search.yahoo.com
// O1 - Hosts: 209.212.147.138 ca.search.yahoo.com
// O1 - Hosts: 209.212.147.138 de.search.yahoo.com
// Security.Microsoft.Windows.RedirectedHosts(3):
// O1 - Hosts: 91.212.127.226 winshield2009.microsoft.com
// O1 - Hosts: 91.212.127.226 winshield2009.com
// O1 - Hosts: 91.212.127.226 www.winshield2009.com
// Spyware.Spynet:
// uExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
// mExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
AutoRun:"Policies","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
// AutoRun:"HKLM","c:\windows\system32\winlog\Winlogon.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
// AutoRun:"HKCU","c:\windows\system32\winlog\Winlogon.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDIR>\winlog\Winlogon.exe"
// Trojan.Agent(1):
// AutoRun:"lenscrset","<$SYSDIR>\lenscrset.exe /run","flagifnofile=1"
AutoRun:"lenscrset","<$SYSDIR>\lenscrset.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","lenscrset"
File:"<$FILE_EXE>","<$SYSDIR>\lenscrset.exe"
// Trojan.Agent(2):
AutoRun:"Windows System Guard","<$APPDATA>\egun.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Guard"
File:"<$FILE_EXE>","<$APPDATA>\egun.exe"
// Trojan.Agent(3):
AutoRun:"dll","<$APPDATA>\Roaming\dll\svchost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","dll"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\dll\svchost.exe"
Directory:"<$DIR_PROG>","<$APPDATA>\Roaming\dll","filename=svchost.exe"
AutoRun:"Microsoft Corp","<$LOCALAPPDATA>\Temp\scvhost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Corp"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\scvhost.exe"
// Trojan.Agent(4):
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/22388-gabpath_exe.html
AutoRun:"GabPath","<$APPDATA>\Roaming\GabPath\gabpath.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","GabPath"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\GabPath\gabpath.exe"
Directory:"<$DIR_PROG>","<$APPDATA>\Roaming\GabPath","filename=gabpath.exe"
// Trojan.FakeAlert.ttam(1):
// AutoRun:"svchost","C:\Documents and Settings\Darren\Local Settings\Temp\Rar$EX00.937\svchost","flagifnofile=1"
AutoRun:"svchost","<$LOCALSETTINGS>\Temp\*\svchost","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","svchost"
// File:"<$FILE_EXE>","C:\Documents and Settings\Darren\Local Settings\Temp\Rar$EX00.937\svchost"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\*\svchost"
Directory:"<$DIR_PROG>","<$LOCALSETTINGS>\Temp\*","filename=svchost"
// Trojan.FakeAlert.ttam(2):
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/22389-jnipmo_exe.html
// Name des Autostartes und der Datei sind fest!
AutoRun:"SfKg6wIPuSp","<$APPDATA>\Roaming\Microsoft\Windows\jnipmo.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SfKg6wIPuSp"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\Microsoft\Windows\jnipmo.exe"
// Trojan.Kreeper:
// Siehe bitte auch hier: http://www.threatexpert.com/report.aspx?md5=3043dfb8ff7f21bd3be945a210e461da
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","SlysBitch"
AutoRun:"WinDefence32","<$APPDATA>\roaming\windefence\windefence32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinDefence32"
File:"<$FILE_EXE>","<$APPDATA>\roaming\windefence\windefence32.exe"
Directory:"<$DIR_PROG>","<$APPDATA>\roaming\windefence","filename=windefence32.exe"
// Trojan.Opachki:
// AutoRun:"notepad","rundll32.exe C:\Users\Sornas\ntload.dll,_NtLoad@0","flagifnofile=1"
AutoRun:"notepad","<$PROFILE>\ntload.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","notepad"
// File:"<$FILE_EXE>","rundll32.exe C:\Users\Sornas\ntload.dll,_NtLoad@0"
File:"<$FILE_LIBRARY>","<$PROFILE>\ntload.dll"
// Trojan.Virtumonde:
// AutoRun:"Oqawokiqo","rundll32.exe "c:\windows\shabdl.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\shabdl.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Oqawokiqo"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\shabdl.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\shabdl.dll"
// AutoRun:"Wnezosareve","rundll32.exe "c:\windows\ulonifij.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ulonifij.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Wnezosareve"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\ulonifij.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ulonifij.dll"
// AutoRun:"Gjemolaxay","rundll32.exe "c:\windows\uxibesidacibiso.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\uxibesidacibiso.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Gjemolaxay"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\uxibesidacibiso.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\uxibesidacibiso.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sesimuvi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sesimuvi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","siruguhu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\siruguhu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ramuzovi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ramuzovi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ hajiruno.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ hajiruno.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","buhuzopo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\buhuzopo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dpvoice32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpvoice32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","kekovate.dll"
File:"<$FILE_WEBPAGE>","<$SYSDIR>\kekovate.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bojoyohuy","bojoyohuy={b3ca9d7c-00e1-4063-8a47-adf4ce3b22e6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sesimuvi.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","riyireheh","riyireheh={ee02cce7-609d-4cb2-b392-29f526f67a5d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ramuzovi.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vedavozup","vedavozup={ec2d8a74-090c-4301-9444-420482dfdbad}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\walikahe.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={b3ca9d7c-00e1-4063-8a47-adf4ce3b22e6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sesimuvi.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={ee02cce7-609d-4cb2-b392-29f526f67a5d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ramuzovi.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={ec2d8a74-090c-4301-9444-420482dfdbad}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\walikahe.dll"
New Malware v111
Reply With Quote