Results 1 to 10 of 10

Thread: New Malware v111

  1. #1
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default New Malware v111

    I've collected detection rules for the following Malware:
    • Malware.Fraud.Sysguard
    • Malware.Mirar.Tango
    • Security.Microsoft.Windows.RedirectedHosts(3)
    • Spyware.Spynet
    • Trojan.Agent(4)
    • Trojan.FakeAlert.ttam(2)
    • Trojan.Kreeper
    • Trojan.Opachki
    • Trojan.Virtumonde
    Category: Trojan
    Code:
    :: New Malware v111
    // Revision 1
    // {Cat:Test}{Cnt:1}
    // {Det:Matt,2010-05-19}
    
    
    // Malware.Fraud.Sysguard:
    // mRun: [pdialkdu] C:\Documents and Settings\Dean Palm\Local Settings\Application Data\uiejudlxq\lofkctltssd.exe
    // mRun: [mxjawtnj] c:\documents and settings\administrator\local settings\application data\dnncvleqo\fdhgatbtssd.exe
    // mRun: [wyykqosy] c:\documents and settings\mom.teachertoy\local settings\application data\vuposuukl\lavrmvntssd.exe
    // mRun: [dpwkkbrc] c:\documents and settings\dkrypt\local settings\application data\gsaogxhus\iqdmaddtssd.exe
    // uRun: [pdialkdu] C:\Documents and Settings\Dean Palm\Local Settings\Application Data\uiejudlxq\lofkctltssd.exe
    // uRun: [mxjawtnj] c:\documents and settings\administrator\local settings\application data\dnncvleqo\fdhgatbtssd.exe
    // uRun: [wyykqosy] c:\documents and settings\mom.teachertoy\local settings\application data\vuposuukl\lavrmvntssd.exe
    // uRun: [dpwkkbrc] c:\documents and settings\dkrypt\local settings\application data\gsaogxhus\iqdmaddtssd.exe
    
    
    // Malware.Mirar.Tango:
    // Variante von Mirar
    // Siehe bitte auch hier: http://www.systemlookup.com/CLSID/70547-c_dll_random_digit.html
    BrowserHelperEx:"Tango","filename=*.dll"
    RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{DD087521-0E98-4BDE-9227-2BA8A82CD9E0}"
    RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{DD087520-0E98-4BDE-9227-2BA8A82CD9E0}"
    RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{DD087521-0E98-4BDE-9227-2BA8A82CD9E0}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\8078.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\c???.dll"
    
    
    // Security.Microsoft.Windows.RedirectedHosts(1):
    // O1 - Hosts: 173.236.107.243 www.google.com
    // O1 - Hosts: 173.236.107.243 google.com
    // O1 - Hosts: 173.236.107.243 google.com.au
    // O1 - Hosts: 173.236.107.243 www.google.com.au
    // O1 - Hosts: 173.236.107.243 google.be
    // O1 - Hosts: 173.236.107.243 www.google.be
    // O1 - Hosts: 173.236.107.243 google.com.br
    // O1 - Hosts: 173.236.107.243 www.google.com.br
    // O1 - Hosts: 173.236.107.243 google.ca
    // O1 - Hosts: 173.236.107.243 www.google.ca
    // O1 - Hosts: 173.236.107.243 google.ch
    // O1 - Hosts: 173.236.107.243 www.google.ch
    // O1 - Hosts: 173.236.107.243 google.de
    // O1 - Hosts: 173.236.107.243 www.google.de
    // O1 - Hosts: 173.236.107.243 google.dk
    // O1 - Hosts: 173.236.107.243 www.google.dk
    // O1 - Hosts: 173.236.107.243 google.fr
    // O1 - Hosts: 173.236.107.243 www.google.fr
    // O1 - Hosts: 173.236.107.243 google.ie
    // O1 - Hosts: 173.236.107.243 www.google.ie
    // O1 - Hosts: 173.236.107.243 google.it
    // O1 - Hosts: 173.236.107.243 www.google.it
    // O1 - Hosts: 173.236.107.243 google.co.jp
    // O1 - Hosts: 173.236.107.243 www.google.co.jp
    // O1 - Hosts: 173.236.107.243 google.nl
    // O1 - Hosts: 173.236.107.243 www.google.nl
    // O1 - Hosts: 173.236.107.243 google.no
    // O1 - Hosts: 173.236.107.243 www.google.no
    // O1 - Hosts: 173.236.107.243 google.co.nz
    // O1 - Hosts: 173.236.107.243 www.google.co.nz
    // O1 - Hosts: 173.236.107.243 google.pl
    // O1 - Hosts: 173.236.107.243 www.google.pl
    // O1 - Hosts: 173.236.107.243 google.se
    // O1 - Hosts: 173.236.107.243 www.google.se
    // O1 - Hosts: 173.236.107.243 google.co.uk
    // O1 - Hosts: 173.236.107.243 www.google.co.uk
    // O1 - Hosts: 173.236.107.243 google.co.za
    // O1 - Hosts: 173.236.107.243 www.google.co.za
    // O1 - Hosts: 173.236.107.243 www.google-analytics.com
    // O1 - Hosts: 173.236.107.243 www.bing.com
    // O1 - Hosts: 173.236.107.243 search.yahoo.com
    // O1 - Hosts: 173.236.107.243 www.search.yahoo.com
    // O1 - Hosts: 173.236.107.243 uk.search.yahoo.com
    // O1 - Hosts: 173.236.107.243 ca.search.yahoo.com
    // O1 - Hosts: 173.236.107.243 de.search.yahoo.com
    // O1 - Hosts: 173.236.107.243 fr.search.yahoo.com
    // O1 - Hosts: 173.236.107.243 au.search.yahoo.com
    
    
    // Security.Microsoft.Windows.RedirectedHosts(2):
    // O1 - Hosts: 209.212.147.138 http://www.google.com
    // O1 - Hosts: 209.212.147.138 google.com
    // O1 - Hosts: 209.212.147.138 google.com.au
    // O1 - Hosts: 209.212.147.138 http://www.google.com.au
    // O1 - Hosts: 209.212.147.138 google.be
    // O1 - Hosts: 209.212.147.138 http://www.google.be
    // O1 - Hosts: 209.212.147.138 google.com.br
    // O1 - Hosts: 209.212.147.138 http://www.google.com.br
    // O1 - Hosts: 209.212.147.138 google.ca
    // O1 - Hosts: 209.212.147.138 http://www.google.ca
    // O1 - Hosts: 209.212.147.138 google.ch
    // O1 - Hosts: 209.212.147.138 http://www.google.ch
    // O1 - Hosts: 209.212.147.138 google.de
    // O1 - Hosts: 209.212.147.138 http://www.google.de
    // O1 - Hosts: 209.212.147.138 google.dk
    // O1 - Hosts: 209.212.147.138 http://www.google.dk
    // O1 - Hosts: 209.212.147.138 google.fr
    // O1 - Hosts: 209.212.147.138 http://www.google.fr
    // O1 - Hosts: 209.212.147.138 google.ie
    // O1 - Hosts: 209.212.147.138 http://www.google.ie
    // O1 - Hosts: 209.212.147.138 google.it
    // O1 - Hosts: 209.212.147.138 http://www.google.it
    // O1 - Hosts: 209.212.147.138 google.co.jp
    // O1 - Hosts: 209.212.147.138 http://www.google.co.jp
    // O1 - Hosts: 209.212.147.138 google.nl
    // O1 - Hosts: 209.212.147.138 http://www.google.nl
    // O1 - Hosts: 209.212.147.138 google.no
    // O1 - Hosts: 209.212.147.138 http://www.google.no
    // O1 - Hosts: 209.212.147.138 google.co.nz
    // O1 - Hosts: 209.212.147.138 http://www.google.co.nz
    // O1 - Hosts: 209.212.147.138 google.pl
    // O1 - Hosts: 209.212.147.138 http://www.google.pl
    // O1 - Hosts: 209.212.147.138 google.se
    // O1 - Hosts: 209.212.147.138 http://www.google.se
    // O1 - Hosts: 209.212.147.138 google.co.uk
    // O1 - Hosts: 209.212.147.138 http://www.google.co.uk
    // O1 - Hosts: 209.212.147.138 google.co.za
    // O1 - Hosts: 209.212.147.138 http://www.google-analytics.com
    // O1 - Hosts: 209.212.147.138 http://www.bing.com
    // O1 - Hosts: 209.212.147.138 search.yahoo.com
    // O1 - Hosts: 209.212.147.138 http://www.search.yahoo.com
    // O1 - Hosts: 209.212.147.138 uk.search.yahoo.com
    // O1 - Hosts: 209.212.147.138 ca.search.yahoo.com
    // O1 - Hosts: 209.212.147.138 de.search.yahoo.com
    
    
    // Security.Microsoft.Windows.RedirectedHosts(3):
    // O1 - Hosts: 91.212.127.226 winshield2009.microsoft.com
    // O1 - Hosts: 91.212.127.226 winshield2009.com
    // O1 - Hosts: 91.212.127.226 www.winshield2009.com
    
    
    // Spyware.Spynet:
    // uExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
    // mExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
    AutoRun:"Policies","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
    // AutoRun:"HKLM","c:\windows\system32\winlog\Winlogon.exe","flagifnofile=1"
    AutoRun:"HKLM","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
    // AutoRun:"HKCU","c:\windows\system32\winlog\Winlogon.exe","flagifnofile=1"
    AutoRun:"HKCU","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
    File:"<$FILE_EXE>","<$SYSDIR>\winlog\Winlogon.exe"
    
    
    // Trojan.Agent(1):
    // AutoRun:"lenscrset","<$SYSDIR>\lenscrset.exe /run","flagifnofile=1"
    AutoRun:"lenscrset","<$SYSDIR>\lenscrset.exe*","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","lenscrset"
    File:"<$FILE_EXE>","<$SYSDIR>\lenscrset.exe"
    
    
    // Trojan.Agent(2):
    AutoRun:"Windows System Guard","<$APPDATA>\egun.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Guard"
    File:"<$FILE_EXE>","<$APPDATA>\egun.exe"
    
    
    // Trojan.Agent(3):
    AutoRun:"dll","<$APPDATA>\Roaming\dll\svchost.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","dll"
    File:"<$FILE_EXE>","<$APPDATA>\Roaming\dll\svchost.exe"
    Directory:"<$DIR_PROG>","<$APPDATA>\Roaming\dll","filename=svchost.exe"
    AutoRun:"Microsoft Corp","<$LOCALAPPDATA>\Temp\scvhost.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Corp"
    File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\scvhost.exe"
    
    
    // Trojan.Agent(4):
    // Siehe bitte auch hier: http://www.systemlookup.com/Startup/22388-gabpath_exe.html
    AutoRun:"GabPath","<$APPDATA>\Roaming\GabPath\gabpath.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","GabPath"
    File:"<$FILE_EXE>","<$APPDATA>\Roaming\GabPath\gabpath.exe"
    Directory:"<$DIR_PROG>","<$APPDATA>\Roaming\GabPath","filename=gabpath.exe"
    
    
    // Trojan.FakeAlert.ttam(1):
    // AutoRun:"svchost","C:\Documents and Settings\Darren\Local Settings\Temp\Rar$EX00.937\svchost","flagifnofile=1"
    AutoRun:"svchost","<$LOCALSETTINGS>\Temp\*\svchost","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","svchost"
    // File:"<$FILE_EXE>","C:\Documents and Settings\Darren\Local Settings\Temp\Rar$EX00.937\svchost"
    File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\*\svchost"
    Directory:"<$DIR_PROG>","<$LOCALSETTINGS>\Temp\*","filename=svchost"
    
    
    // Trojan.FakeAlert.ttam(2):
    // Siehe bitte auch hier: http://www.systemlookup.com/Startup/22389-jnipmo_exe.html
    // Name des Autostartes und der Datei sind fest!
    AutoRun:"SfKg6wIPuSp","<$APPDATA>\Roaming\Microsoft\Windows\jnipmo.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SfKg6wIPuSp"
    File:"<$FILE_EXE>","<$APPDATA>\Roaming\Microsoft\Windows\jnipmo.exe"
    
    
    // Trojan.Kreeper:
    // Siehe bitte auch hier: http://www.threatexpert.com/report.aspx?md5=3043dfb8ff7f21bd3be945a210e461da
    RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","SlysBitch"
    AutoRun:"WinDefence32","<$APPDATA>\roaming\windefence\windefence32.exe","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinDefence32"
    File:"<$FILE_EXE>","<$APPDATA>\roaming\windefence\windefence32.exe"
    Directory:"<$DIR_PROG>","<$APPDATA>\roaming\windefence","filename=windefence32.exe"
    
    
    // Trojan.Opachki:
    // AutoRun:"notepad","rundll32.exe C:\Users\Sornas\ntload.dll,_NtLoad@0","flagifnofile=1"
    AutoRun:"notepad","<$PROFILE>\ntload.dll*","flagifnofile=1"
    RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","notepad"
    // File:"<$FILE_EXE>","rundll32.exe C:\Users\Sornas\ntload.dll,_NtLoad@0"
    File:"<$FILE_LIBRARY>","<$PROFILE>\ntload.dll"
    
    
    // Trojan.Virtumonde:
    // AutoRun:"Oqawokiqo","rundll32.exe "c:\windows\shabdl.dll",Startup","flagifnofile=1"
    AutoRun:"*","<$WINDIR>\shabdl.dll*","flagifnofile=0"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Oqawokiqo"
    // File:"<$FILE_EXE>","rundll32.exe "c:\windows\shabdl.dll",Startup"
    File:"<$FILE_LIBRARY>","<$WINDIR>\shabdl.dll"
    
    // AutoRun:"Wnezosareve","rundll32.exe "c:\windows\ulonifij.dll",Startup","flagifnofile=1"
    AutoRun:"*","<$WINDIR>\ulonifij.dll*","flagifnofile=0"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Wnezosareve"
    // File:"<$FILE_EXE>","rundll32.exe "c:\windows\ulonifij.dll",Startup"
    File:"<$FILE_LIBRARY>","<$WINDIR>\ulonifij.dll"
    
    // AutoRun:"Gjemolaxay","rundll32.exe "c:\windows\uxibesidacibiso.dll",Startup","flagifnofile=1"
    AutoRun:"*","<$WINDIR>\uxibesidacibiso.dll*","flagifnofile=0"
    RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Gjemolaxay"
    // File:"<$FILE_EXE>","rundll32.exe "c:\windows\uxibesidacibiso.dll",Startup"
    File:"<$FILE_LIBRARY>","<$WINDIR>\uxibesidacibiso.dll"
    
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sesimuvi.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\sesimuvi.dll"
    
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","siruguhu.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\siruguhu.dll"
    
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ramuzovi.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ramuzovi.dll"
    
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ hajiruno.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ hajiruno.dll"
    
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","buhuzopo.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\buhuzopo.dll"
    
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dpvoice32.dll"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\dpvoice32.dll"
    
    RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","kekovate.dll"
    File:"<$FILE_WEBPAGE>","<$SYSDIR>\kekovate.dll"
    
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bojoyohuy","bojoyohuy={b3ca9d7c-00e1-4063-8a47-adf4ce3b22e6}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\sesimuvi.dll"
    
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","riyireheh","riyireheh={ee02cce7-609d-4cb2-b392-29f526f67a5d}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ramuzovi.dll"
    
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vedavozup","vedavozup={ec2d8a74-090c-4301-9444-420482dfdbad}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\walikahe.dll"
    
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={b3ca9d7c-00e1-4063-8a47-adf4ce3b22e6}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\sesimuvi.dll"
    
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={ee02cce7-609d-4cb2-b392-29f526f67a5d}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\ramuzovi.dll"
    
    RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={ec2d8a74-090c-4301-9444-420482dfdbad}"
    File:"<$FILE_LIBRARY>","<$SYSDIR>\walikahe.dll"
    Downloads: 0Rating: 5 (rated by 1 user)

  2. #2
    Senior Member TwistedMike's Avatar
    Join Date
    Apr 2008
    Location
    Canada
    Posts
    129

    Default

    in the code that you have given it appears that the users would have to input there user name
    Code:
    // mRun: [pdialkdu] C:\Documents and Settings\Dean Palm\Local Settings\Application Data\uiejudlxq\lofkctltssd.exe
    wouldn't it be easier just to use %appdata% then you could continue with the rest of the line \uiejudlxq\lofkctltssd.exe it would make it smaller and make it so people could use it right away but thats only my opinion on that.
    For the fastest, safest browsing experience get Google Chrome

  3. #3
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Quote Originally Posted by TwistedMike View Post
    ...
    wouldn't it be easier just to use %appdata% then you could continue with the rest of the line \uiejudlxq\lofkctltssd.exe it would make it smaller and make it so people could use it right away but thats only my opinion on that.
    I am aware of that...

    The "problem" about this kind of Malware is that the folder uiejudlxq for example is random, like the part lofkctl in lofkctltssd.exe as well.

    Without more detailed information (filesize, md5, etc.) , it doesn't make much sense to create some detection rules.
    As a conclusion, I didn't create a detection rule which you can see because of the "//" at the beginnging of these lines.

    Thank you for your well-intentioned suggestion, but I don't understand why you answer to a post which is almost one year old.
    Best regards - Beste Grüße,

    Matt

  4. #4
    Senior Member
    Join Date
    May 2010
    Posts
    114

    Exclamation

    I'd personally like to know where these OpenSBI files are and how to integrate them into Spybot - Search & Destroy.

  5. #5
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    These files are here - click the Download link below the text above (at least those SBI items that are flagged as reviewed by enough people have that link).
    Save them to the Includes\ folder within your Spybot folder, and they can be used from within Spybot (can be enabled on Filesets page).
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  6. #6
    Senior Member
    Join Date
    May 2010
    Posts
    114

    Exclamation

    Quote Originally Posted by PepiMK View Post
    These files are here - click the Download link below the text above (at least those SBI items that are flagged as reviewed by enough people have that link).
    Save them to the Includes\ folder within your Spybot folder, and they can be used from within Spybot (can be enabled on Filesets page).
    I don't see a download link, just a set of plain-text embedded within the code tags, and for the newer OpenSBI files there is no way for me to even see them.

    I will still make text-files out of the available ones and save them to my Includes directory

  7. #7
    Retired
    Join Date
    Oct 2005
    Posts
    566

    Default

    Hello,
    the rating of the above code made by Matt has not the necessary rating yet so it is not downloadable for you.

    Did you create own sbi files by using the editor? If so you can upload them here and we can rate them so they get downloadable

    regards,
    Markus

  8. #8
    Senior Member
    Join Date
    May 2010
    Posts
    114

    Exclamation

    Quote Originally Posted by MisterW View Post
    Hello,
    the rating of the above code made by Matt has not the necessary rating yet so it is not downloadable for you.

    Did you create own sbi files by using the editor? If so you can upload them here and we can rate them so they get downloadable

    regards,
    Markus
    Are there any OpenSBI files that do have the necessary rating yet? I'm down to "New Malware v93" now and I've been copy-pasting.

    I'm not creating OpenSBI files; I've just been interested in using the ones that have been submitted here, and I intend to upload a zip of them for the rest of us who'd rather not go back and copy-paste all those OpenSBI files.

  9. #9
    Senior Member
    Join Date
    Sep 2006
    Posts
    456

    Default

    Quote Originally Posted by lewisje View Post
    Are there any OpenSBI files that do have the necessary rating yet? I'm down to "New Malware v93" now and I've been copy-pasting.
    Yes, there are some, e.g.

    http://forums.spybot.info/showthread.php?t=48837
    http://forums.spybot.info/showthread.php?t=49452

    Quote Originally Posted by lewisje View Post
    I'm not creating OpenSBI files; I've just been interested in using the ones that have been submitted here, and I intend to upload a zip of them for the rest of us who'd rather not go back and copy-paste all those OpenSBI files.
    Files should get a good rating when a user has tested or at least reviewed them. The idea is that they should not be easily downloadable otherwise. Files with a low rating are totally untested and very likely dangerous to use. So please do not ZIP them and offer them for download.

    The problem of OpenSBI is currently lack of participation. We need more people who are willing to learn about Malware and the SBI language so write and rate SBI files for these forums to really work as intended.

    Until now the system was mostly used by Matt. His submissions were already included in our detection rules after some corrections.

    daemon

  10. #10
    Senior Member
    Join Date
    May 2010
    Posts
    114

    Lightbulb

    I agree: I went ahead and tested the last few ones and there were errors with several and a false positive in v108 (the ATI Catalyst Control Center).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •