# @(#) $Id: ./src/rootcheck/db/win_malware_rcl.txt, 2011/09/08 dcid Exp $

#
# OSSEC Windows Malware list - (C) 2007 Daniel B. Cid - dcid@ossec.net
#
# Released under the same license as OSSEC.
# More details at the LICENSE file included with OSSEC or online
# at: http://www.ossec.net/en/licensing.html
#
# [Malware name] [any or all] [reference]
# type:<entry name>;
#
# Type can be:
#             - f (for file or directory)
#             - r (registry entry)
#             - p (process running)
#
# Additional values:
# For the registry , use "->" to look for a specific entry and another
# "->" to look for the value. 
# For files, use "->" to look for a specific value in the file.
#
# # Values can be preceeded by: =: (for equal) - default
#                               r: (for ossec regexes)
#                               >: (for strcmp greater)
#                               <: (for strcmp  lower)
# Multiple patterns can be specified by using " && " between them.
# (All of them must match for it to return true).


# http://www.iss.net/threats/ginwui.html
[Ginwui Backdoor] [any] [http://www.iss.net/threats/ginwui.html]
f:%WINDIR%\System32\zsyhide.dll;
f:%WINDIR%\System32\zsydll.dll;
r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll;
r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll;


# http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2
[Wargbot Backdoor] [any] []
f:%WINDIR%\System32\wgareg.exe;
r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg;


# http://www.f-prot.com/virusinfo/descriptions/sober_j.html
[Sober Worm] [any] []
f:%WINDIR%\System32\nonzipsr.noz;
f:%WINDIR%\System32\clonzips.ssc;
f:%WINDIR%\System32\clsobern.isc;
f:%WINDIR%\System32\sb2run.dii;
f:%WINDIR%\System32\winsend32.dal;
f:%WINDIR%\System32\winroot64.dal;
f:%WINDIR%\System32\zippedsr.piz;
f:%WINDIR%\System32\winexerun.dal;
f:%WINDIR%\System32\winmprot.dal;
f:%WINDIR%\System32\dgssxy.yoi;
f:%WINDIR%\System32\cvqaikxt.apk;
f:%WINDIR%\System32\sysmms32.lla;
f:%WINDIR%\System32\Odin-Anon.Ger;


# http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2
[Hotword Trojan] [any] []
f:%WINDIR%\System32\_;
f:%WINDIR%\System32\explore.exe;
f:%WINDIR%\System32\ svchost.exe;
f:%WINDIR%\System32\mmsystem.dlx;
f:%WINDIR%\System32\WINDLL-ObjectsWin*.DLX;
f:%WINDIR%\System32\CFXP.DRV;
f:%WINDIR%\System32\CHJO.DRV;
f:%WINDIR%\System32\MMSYSTEM.DLX;
f:%WINDIR%\System32\OLECLI.DL;


[Beagle worm] [any] []
f:%WINDIR%\System32\winxp.exe;
f:%WINDIR%\System32\winxp.exeopen;
f:%WINDIR%\System32\winxp.exeopenopen;
f:%WINDIR%\System32\winxp.exeopenopenopen;
f:%WINDIR%\System32\winxp.exeopenopenopenopen;


# http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99
[Gpcoder Trojan] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99]
f:%WINDIR%\System32\ntos.exe;
f:%WINDIR%\System32\wsnpoem;
f:%WINDIR%\System32\wsnpoem\audio.dll;
f:%WINDIR%\System32\wsnpoem\video.dll;
r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe;


# [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2
[Looked.BK Worm] [any] []
f:%WINDIR%\uninstall\rundl132.exe;
f:%WINDIR%\Logo1_.exe;
f:%Windir%\RichDll.dll;
r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe;


[Possible Malware - Svchost running outside system32] [all] []
p:r:svchost.exe && !%WINDIR%\System32\svchost.exe;
f:!%WINDIR%\SysWOW64;


[Possible Malware - Inetinfo running outside system32\inetsrv] [all] []
p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe;
f:!%WINDIR%\SysWOW64;


[Possible Malware - Rbot/Sdbot detected] [any] []
f:%Windir%\System32\rdriv.sys;
f:%Windir%\lsass.exe;


[Possible Malware File] [any] []
f:%WINDIR%\utorrent.exe;
f:%WINDIR%\System32\utorrent.exe;
f:%WINDIR%\System32\Files32.vxd;


# Modified /etc/hosts entries
# Idea taken from:
# http://blog.tenablesecurity.com/2006/12/detecting_compr.html
# http://www.sophos.com/security/analyses/trojbagledll.html
# http://www.f-secure.com/v-descs/fantibag_b.shtml
[Anti-virus site on the hosts file] [any] []
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:avp.ch|avp.ru|nai.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:awaps.net|ca.com|mcafee.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:microsoft.com|f-secure.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:sophos.com|symantec.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:my-etrust.com|viruslist.ru;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:networkassociates.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com;
f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;


# EOF #