Code:
:: Funny Stuff #1
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:jayl,2010-01-03}
// Malware.Fraud.MalwareDefense:
AutoRun:"settdebugx.exe","<$LOCALSETTINGS>\Temp\settdebugx.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","settdebugx.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\settdebugx.exe"
AutoRun:"Malware Defense","<$PROGRAMFILES>\Malware Defense\mdefense.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Malware Defense"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Malware Defense\mdefense.exe"
// Trojan.Dwarf:
AutoRun:"HKCU","<$SYSDIR>\install\server.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDIR>\install\server.exe"
AutoRun:"HKLM","<$SYSDIR>\install\server.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
File:"<$FILE_EXE>","<$SYSDIR>\install\server.exe"
// Trojan.Virtumode:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","xxyyvVnM","DllName=xxyyvVnM.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xxyyvVnM.dll"
// Trojan.Dropper/Win-NV:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=explorer.exe rundll32.exe nhni.goo mgxaig"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","nhni.goo *"
NTFile:"<$FILE_LIBRARY>","<$SYSDIR>\nhni.goo","filesize=27648,md5=DD9E69109BDDED75E2865EC2884B482C"