Already posted it in the Wiki, but since a Wiki isn't useful to ask questions etc., I'm going to add it here as well:
Examples:Spectorsoft eBlaster 5 (Keylogger)
A detailed explanation on how one would go ahead to create this detection is available on the wiki link above; in this example we just used InCtrl5 and the OpenSBI editor.
Examples:Spectorsoft eBlaster 5 (Keylogger)
Code:
// info: OpenSBI example
// author: Patrick M. Kolla (PepiMK)
// date: 2008-05-23 (1.6)
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.
// count: 14
:: Spectorsoftware.eBlaster.5
// {Cat:Keylogger}{Cnt:1}
// {Det:patrick,2008-05-23}
[URL="http://wiki.spybot.info/index.php/RegyKey"]RegyKey[/URL]:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{2BE166ED-F16C-46de-B623-3575FD9B5D6D}"
[URL="http://wiki.spybot.info/index.php/RegyKey"]RegyKey[/URL]:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{4924E02A-C3A1-43ED-9EF2-28B8222039CC}"
[URL="http://wiki.spybot.info/index.php/RegyKey"]RegyKey[/URL]:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{8F3CA4AA-CD58-4424-8E77-C08801F1EA61}"
[URL="http://wiki.spybot.info/index.php/RegyKey"]RegyKey[/URL]:"<$REG_CLASSID>",HKEY_CLASSES_ROOT,"\CLSID\","{93AA1CB6-383A-49EF-B197-D31B4D577B90}"
[URL="http://wiki.spybot.info/index.php/RegyKey"]RegyKey[/URL]:"Hook",HKEY_CLASSES_ROOT,"\","Httpcmd","CLSID\={4924E02A-C3A1-43ED-9EF2-28B8222039CC}"
[URL="http://wiki.spybot.info/index.php/RegyKey"]RegyKey[/URL]:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{93AA1CB6-383A-49EF-B197-D31B4D577B90}"
[URL="http://wiki.spybot.info/index.php/RegyValue"]RegyValue[/URL]:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad","Proftab","Proftab={8F3CA4AA-CD58-4424-8E77-C08801F1EA61}"
[URL="http://wiki.spybot.info/index.php/File"]File[/URL]:"<$FILE_LIBRARY>","<$SYSDIR>\xmlv2.dll","[URL="http://wiki.spybot.info/index.php/Filesize"]filesize[/URL]=1052672,[URL="http://wiki.spybot.info/index.php/Md5"]md5[/URL]=A76C36A1BAA095A6D4C8A0E95582C089"
[URL="http://wiki.spybot.info/index.php/File"]File[/URL]:"<$FILE_EXE>","<$SYSDIR>\svrxp.exe","[URL="http://wiki.spybot.info/index.php/Filesize"]filesize[/URL]=1552384,[URL="http://wiki.spybot.info/index.php/Md5"]md5[/URL]=7F02BE43B8759FA66BAA347FC22DC04B,[URL="http://wiki.spybot.info/index.php/Setenv"]setenv[/URL]=eblaster5:yes"
[URL="http://wiki.spybot.info/index.php/File"]File[/URL]:"<$FILE_LIBRARY>","<$SYSDIR>\ipxstyle.dll","[URL="http://wiki.spybot.info/index.php/Filesize"]filesize[/URL]=761856,[URL="http://wiki.spybot.info/index.php/Md5"]md5[/URL]=3AEBF1E8EC43169D23B710CB69DFC807"
[URL="http://wiki.spybot.info/index.php/File"]File[/URL]:"<$FILE_LIBRARY>","<$SYSDIR>\ipnt.dll","[URL="http://wiki.spybot.info/index.php/Filesize"]filesize[/URL]=43998,[URL="http://wiki.spybot.info/index.php/Md5"]md5[/URL]=85CED0C1CE0F1367651A89E98743618E"
[URL="http://wiki.spybot.info/index.php/File"]File[/URL]:"<$FILE_LIBRARY>","<$SYSDIR>\camohcmp32.dll","[URL="http://wiki.spybot.info/index.php/Filesize"]filesize[/URL]=114578,[URL="http://wiki.spybot.info/index.php/Md5"]md5[/URL]=0C943CA64C083C6A205D71C06706B62F"
[URL="http://wiki.spybot.info/index.php/File"]File[/URL]:"<$FILE_LIBRARY>","<$SYSDIR>\calv32.dll","[URL="http://wiki.spybot.info/index.php/Filesize"]filesize[/URL]=577536,[URL="http://wiki.spybot.info/index.php/Md5"]md5[/URL]=53D9A64B4A60118915DBC96BEF49383A"
[URL="http://wiki.spybot.info/index.php/Directory"]Directory[/URL]:"<$DIR_APPDATA>","<$SYSDIR>\logmidi","[URL="http://wiki.spybot.info/index.php/Isenv"]isenv[/URL]=eblaster5"