Permalink
Browse files

Merge branch '2.1' into 3.0

  • Loading branch information...
vikman90 committed Sep 21, 2017
2 parents f6fb566 + eaace71 commit 56eb16b40b373669bd80bcdb279473931b7c060a
@@ -76,6 +76,7 @@ f:\Documents and Settings\All Users\Start Menu\Programs\kazaa;
f:\Documents and Settings\All Users\DESKTOP\Kazaa Media Desktop.lnk;
f:\Documents and Settings\All Users\DESKTOP\Kazaa Promotions.lnk;
f:%WINDIR%\System32\Cd_clint.dll;
f:%WINDIR%\Sysnative\Cd_clint.dll;
r:HKEY_LOCAL_MACHINE\SOFTWARE\KAZAA;
r:HKEY_CURRENT_USER\SOFTWARE\KAZAA;
r:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\KAZAA;
@@ -120,6 +121,7 @@ f:\Program Files\ExploreAnywhere\SpyBuddy\sb32mon.exe;
f:\Program Files\ExploreAnywhere\SpyBuddy;
f:\Program Files\ExploreAnywhere;
f:%WINDIR%\System32\sysicept.dll;
f:%WINDIR%\Sysnative\sysicept.dll;
r:HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software\SpyBuddy;
[Spyware - InternetOptimizer {PCI_DSS: 11.4}] [any] []
@@ -74,3 +74,4 @@ r:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon -> AutoAdminLogon ->
[Winpcap packet filter driver found {PCI_DSS: 10.6.1}] [any] []
f:%WINDIR%\System32\drivers\npf.sys;
f:%WINDIR%\Sysnative\drivers\npf.sys;
@@ -30,56 +30,90 @@
# http://www.iss.net/threats/ginwui.html
[Ginwui Backdoor {PCI_DSS: 11.4}] [any] [http://www.iss.net/threats/ginwui.html]
f:%WINDIR%\System32\zsyhide.dll;
f:%WINDIR%\Sysnative\zsyhide.dll;
f:%WINDIR%\System32\zsydll.dll;
f:%WINDIR%\Sysnative\zsydll.dll;
r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll;
r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll;
# http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2
[Wargbot Backdoor {PCI_DSS: 11.4}] [any] []
f:%WINDIR%\System32\wgareg.exe;
f:%WINDIR%\Sysnative\wgareg.exe;
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg;
# http://www.f-prot.com/virusinfo/descriptions/sober_j.html
[Sober Worm {PCI_DSS: 11.4}] [any] []
f:%WINDIR%\System32\nonzipsr.noz;
f:%WINDIR%\Sysnative\nonzipsr.noz;
f:%WINDIR%\System32\clonzips.ssc;
f:%WINDIR%\Sysnative\clonzips.ssc;
f:%WINDIR%\System32\clsobern.isc;
f:%WINDIR%\Sysnative\clsobern.isc;
f:%WINDIR%\System32\sb2run.dii;
f:%WINDIR%\Sysnative\sb2run.dii;
f:%WINDIR%\System32\winsend32.dal;
f:%WINDIR%\Sysnative\winsend32.dal;
f:%WINDIR%\System32\winroot64.dal;
f:%WINDIR%\Sysnative\winroot64.dal;
f:%WINDIR%\System32\zippedsr.piz;
f:%WINDIR%\Sysnative\zippedsr.piz;
f:%WINDIR%\System32\winexerun.dal;
f:%WINDIR%\Sysnative\winexerun.dal;
f:%WINDIR%\System32\winmprot.dal;
f:%WINDIR%\Sysnative\winmprot.dal;
f:%WINDIR%\System32\dgssxy.yoi;
f:%WINDIR%\Sysnative\dgssxy.yoi;
f:%WINDIR%\System32\cvqaikxt.apk;
f:%WINDIR%\Sysnative\cvqaikxt.apk;
f:%WINDIR%\System32\sysmms32.lla;
f:%WINDIR%\Sysnative\sysmms32.lla;
f:%WINDIR%\System32\Odin-Anon.Ger;
f:%WINDIR%\Sysnative\Odin-Anon.Ger;
# http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2
[Hotword Trojan {PCI_DSS: 11.4}] [any] []
f:%WINDIR%\System32\_;
f:%WINDIR%\Sysnative\_;
f:%WINDIR%\System32\explore.exe;
f:%WINDIR%\Sysnative\explore.exe;
f:%WINDIR%\System32\ svchost.exe;
f:%WINDIR%\Sysnative\ svchost.exe;
f:%WINDIR%\System32\mmsystem.dlx;
f:%WINDIR%\Sysnative\mmsystem.dlx;
f:%WINDIR%\System32\WINDLL-ObjectsWin*.DLX;
f:%WINDIR%\Sysnative\WINDLL-ObjectsWin*.DLX;
f:%WINDIR%\System32\CFXP.DRV;
f:%WINDIR%\Sysnative\CFXP.DRV;
f:%WINDIR%\System32\CHJO.DRV;
f:%WINDIR%\Sysnative\CHJO.DRV;
f:%WINDIR%\System32\MMSYSTEM.DLX;
f:%WINDIR%\Sysnative\MMSYSTEM.DLX;
f:%WINDIR%\System32\OLECLI.DL;
f:%WINDIR%\Sysnative\OLECLI.DL;
[Beagle worm {PCI_DSS: 11.4}] [any] []
f:%WINDIR%\System32\winxp.exe;
f:%WINDIR%\Sysnative\winxp.exe;
f:%WINDIR%\System32\winxp.exeopen;
f:%WINDIR%\Sysnative\winxp.exeopen;
f:%WINDIR%\System32\winxp.exeopenopen;
f:%WINDIR%\Sysnative\winxp.exeopenopen;
f:%WINDIR%\System32\winxp.exeopenopenopen;
f:%WINDIR%\Sysnative\winxp.exeopenopenopen;
f:%WINDIR%\System32\winxp.exeopenopenopenopen;
f:%WINDIR%\Sysnative\winxp.exeopenopenopenopen;
# http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99
[Gpcoder Trojan {PCI_DSS: 11.4}] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99]
f:%WINDIR%\System32\ntos.exe;
f:%WINDIR%\Sysnative\ntos.exe;
f:%WINDIR%\System32\wsnpoem;
f:%WINDIR%\Sysnative\wsnpoem;
f:%WINDIR%\System32\wsnpoem\audio.dll;
f:%WINDIR%\Sysnative\wsnpoem\audio.dll;
f:%WINDIR%\System32\wsnpoem\video.dll;
f:%WINDIR%\Sysnative\wsnpoem\video.dll;
r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe;
# [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2
@@ -93,18 +127,29 @@ r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe;
p:r:svchost.exe && !%WINDIR%\System32\svchost.exe;
f:!%WINDIR%\SysWOW64;
[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] []
p:r:svchost.exe && !%WINDIR%\Sysnative\svchost.exe;
f:!%WINDIR%\SysWOW64;
[Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] []
p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe;
f:!%WINDIR%\SysWOW64;
[Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] []
p:r:inetinfo.exe && !%WINDIR%\Sysnative\inetsrv\inetinfo.exe;
f:!%WINDIR%\SysWOW64;
[Possible Malware - Rbot/Sdbot detected {PCI_DSS: 11.4}] [any] []
f:%Windir%\System32\rdriv.sys;
f:%Windir%\Sysnative\rdriv.sys;
f:%Windir%\lsass.exe;
[Possible Malware File {PCI_DSS: 11.4}] [any] []
f:%WINDIR%\utorrent.exe;
f:%WINDIR%\System32\utorrent.exe;
f:%WINDIR%\Sysnative\utorrent.exe;
f:%WINDIR%\System32\Files32.vxd;
f:%WINDIR%\Sysnative\Files32.vxd;
# Modified /etc/hosts entries
# Idea taken from:
@@ -113,12 +158,22 @@ f:%WINDIR%\System32\Files32.vxd;
# http://www.f-secure.com/v-descs/fantibag_b.shtml
[Anti-virus site on the hosts file] [any] []
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|symantec.com;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:sophos.com|symantec.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:networkassociates.com;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:networkassociates.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:symantecliveupdate.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;
f:%WINDIR%\Sysnative\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;
@@ -23,7 +23,7 @@
-->
<rule id="83201" level="5">
<if_sid>18101</if_sid>
<id>104</id>
<id>^104$</id>
<description>The Internet Explorer log file was cleared</description>
<group>log_clearing_ie,</group>
</rule>
@@ -33,7 +33,7 @@
-->
<rule id="83202" level="5">
<if_sid>18101</if_sid>
<id>6005</id>
<id>^6005$</id>
<description>The Event log service was started</description>
<group>windows_log_service_started,</group>
</rule>

0 comments on commit 56eb16b

Please sign in to comment.