debian/ossec-hids/var/ossec/etc/shared/win_malware_rcl.txt

   1 # OSSEC Windows Malware list - (C) 2018 OSSEC Project
   2 #
   3 # Released under the same license as OSSEC.
   4 # More details at the LICENSE file included with OSSEC or online
   5 # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
   6 #
   7 # [Malware name] [any or all] [reference]
   8 # type:<entry name>;
   9 #
  10 # Type can be:
  11 #             - f (for file or directory)
  12 #             - r (registry entry)
  13 #             - p (process running)
  14 #
  15 # Additional values:
  16 # For the registry and for directories, use "->" to look for a specific entry and another
  17 # "->" to look for the value.
  18 # Also, use " -> r:^\. -> ..." to search all files in a directory
  19 # For files, use "->" to look for a specific value in the file.
  20 #
  21 # # Values can be preceded by: =: (for equal) - default
  22 #                               r: (for ossec regexes)
  23 #                               >: (for strcmp greater)
  24 #                               <: (for strcmp  lower)
  25 # Multiple patterns can be specified by using " && " between them.
  26 # (All of them must match for it to return true).
  27
  28 # http://www.iss.net/threats/ginwui.html
  29 [Ginwui Backdoor {PCI_DSS: 11.4}] [any] [http://www.iss.net/threats/ginwui.html]
  30 f:%WINDIR%\System32\zsyhide.dll;
  31 f:%WINDIR%\System32\zsydll.dll;
  32 r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll;
  33 r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll;
  34
  35 # http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2
  36 [Wargbot Backdoor {PCI_DSS: 11.4}] [any] []
  37 f:%WINDIR%\System32\wgareg.exe;
  38 r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg;
  39
  40 # http://www.f-prot.com/virusinfo/descriptions/sober_j.html
  41 [Sober Worm {PCI_DSS: 11.4}] [any] []
  42 f:%WINDIR%\System32\nonzipsr.noz;
  43 f:%WINDIR%\System32\clonzips.ssc;
  44 f:%WINDIR%\System32\clsobern.isc;
  45 f:%WINDIR%\System32\sb2run.dii;
  46 f:%WINDIR%\System32\winsend32.dal;
  47 f:%WINDIR%\System32\winroot64.dal;
  48 f:%WINDIR%\System32\zippedsr.piz;
  49 f:%WINDIR%\System32\winexerun.dal;
  50 f:%WINDIR%\System32\winmprot.dal;
  51 f:%WINDIR%\System32\dgssxy.yoi;
  52 f:%WINDIR%\System32\cvqaikxt.apk;
  53 f:%WINDIR%\System32\sysmms32.lla;
  54 f:%WINDIR%\System32\Odin-Anon.Ger;
  55
  56 # http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2
  57 [Hotword Trojan {PCI_DSS: 11.4}] [any] []
  58 f:%WINDIR%\System32\_;
  59 f:%WINDIR%\System32\explore.exe;
  60 f:%WINDIR%\System32\ svchost.exe;
  61 f:%WINDIR%\System32\mmsystem.dlx;
  62 f:%WINDIR%\System32\WINDLL-ObjectsWin*.DLX;
  63 f:%WINDIR%\System32\CFXP.DRV;
  64 f:%WINDIR%\System32\CHJO.DRV;
  65 f:%WINDIR%\System32\MMSYSTEM.DLX;
  66 f:%WINDIR%\System32\OLECLI.DL;
  67
  68 [Beagle worm {PCI_DSS: 11.4}] [any] []
  69 f:%WINDIR%\System32\winxp.exe;
  70 f:%WINDIR%\System32\winxp.exeopen;
  71 f:%WINDIR%\System32\winxp.exeopenopen;
  72 f:%WINDIR%\System32\winxp.exeopenopenopen;
  73 f:%WINDIR%\System32\winxp.exeopenopenopenopen;
  74
  75 # http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99
  76 [Gpcoder Trojan {PCI_DSS: 11.4}] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99]
  77 f:%WINDIR%\System32\ntos.exe;
  78 f:%WINDIR%\System32\wsnpoem;
  79 f:%WINDIR%\System32\wsnpoem\audio.dll;
  80 f:%WINDIR%\System32\wsnpoem\video.dll;
  81 r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe;
  82
  83 # [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2
  84 [Looked.BK Worm {PCI_DSS: 11.4}] [any] []
  85 f:%WINDIR%\uninstall\rundl132.exe;
  86 f:%WINDIR%\Logo1_.exe;
  87 f:%Windir%\RichDll.dll;
  88 r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe;
  89
  90 [Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] []
  91 p:r:svchost.exe && !%WINDIR%\System32\svchost.exe;
  92 f:!%WINDIR%\SysWOW64;
  93
  94 [Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] []
  95 p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe;
  96 f:!%WINDIR%\SysWOW64;
  97
  98 [Possible Malware - Rbot/Sdbot detected {PCI_DSS: 11.4}] [any] []
  99 f:%Windir%\System32\rdriv.sys;
 100 f:%Windir%\lsass.exe;
 101
 102 [Possible Malware File {PCI_DSS: 11.4}] [any] []
 103 f:%WINDIR%\utorrent.exe;
 104 f:%WINDIR%\System32\utorrent.exe;
 105 f:%WINDIR%\System32\Files32.vxd;
 106
 107 # Modified /etc/hosts entries
 108 # Idea taken from:
 109 # http://blog.tenablesecurity.com/2006/12/detecting_compr.html
 110 # http://www.sophos.com/security/analyses/trojbagledll.html
 111 # http://www.f-secure.com/v-descs/fantibag_b.shtml
 112 [Anti-virus site on the hosts file] [any] []
 113 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com;
 114 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com;
 115 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com;
 116 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|symantec.com;
 117 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru;
 118 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:networkassociates.com;
 119 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com;
 120 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com;
 121 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com;
 122 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;