projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
new upstream release (3.3.0); modify package compatibility for Stretch
[ossec-hids.git] / src / rootcheck / db / win_malware_rcl.txt
diff --git a/src/rootcheck/db/win_malware_rcl.txt b/src/rootcheck/db/win_malware_rcl.txt
index d3dc72d..03ed594 100644 (file)
--- a/src/rootcheck/db/win_malware_rcl.txt
+++ b/src/rootcheck/db/win_malware_rcl.txt
@@ -1,11 +1,8 @@
-# @(#) $Id: ./src/rootcheck/db/win_malware_rcl.txt, 2011/09/08 dcid Exp $
-
-#
-# OSSEC Windows Malware list - (C) 2007 Daniel B. Cid - dcid@ossec.net
+# OSSEC Windows Malware list - (C) 2018 OSSEC Project
 #
 # Released under the same license as OSSEC.
 # More details at the LICENSE file included with OSSEC or online
-# at: http://www.ossec.net/en/licensing.html
+# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
 #
 # [Malware name] [any or all] [reference]
 # type:<entry name>;
@@ -16,34 +13,32 @@
 #             - p (process running)
 #
 # Additional values:
-# For the registry , use "->" to look for a specific entry and another
-# "->" to look for the value. 
+# For the registry and for directories, use "->" to look for a specific entry and another
+# "->" to look for the value.
+# Also, use " -> r:^\. -> ..." to search all files in a directory
 # For files, use "->" to look for a specific value in the file.
 #
-# # Values can be preceeded by: =: (for equal) - default
+# # Values can be preceded by: =: (for equal) - default
 #                               r: (for ossec regexes)
 #                               >: (for strcmp greater)
 #                               <: (for strcmp  lower)
 # Multiple patterns can be specified by using " && " between them.
 # (All of them must match for it to return true).
 
-
 # http://www.iss.net/threats/ginwui.html
-[Ginwui Backdoor] [any] [http://www.iss.net/threats/ginwui.html]
+[Ginwui Backdoor {PCI_DSS: 11.4}] [any] [http://www.iss.net/threats/ginwui.html]
 f:%WINDIR%\System32\zsyhide.dll;
 f:%WINDIR%\System32\zsydll.dll;
 r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll;
 r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll;
 
-
 # http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2
-[Wargbot Backdoor] [any] []
+[Wargbot Backdoor {PCI_DSS: 11.4}] [any] []
 f:%WINDIR%\System32\wgareg.exe;
 r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg;
 
-
 # http://www.f-prot.com/virusinfo/descriptions/sober_j.html
-[Sober Worm] [any] []
+[Sober Worm {PCI_DSS: 11.4}] [any] []
 f:%WINDIR%\System32\nonzipsr.noz;
 f:%WINDIR%\System32\clonzips.ssc;
 f:%WINDIR%\System32\clsobern.isc;
@@ -58,9 +53,8 @@ f:%WINDIR%\System32\cvqaikxt.apk;
 f:%WINDIR%\System32\sysmms32.lla;
 f:%WINDIR%\System32\Odin-Anon.Ger;
 
-
 # http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2
-[Hotword Trojan] [any] []
+[Hotword Trojan {PCI_DSS: 11.4}] [any] []
 f:%WINDIR%\System32\_;
 f:%WINDIR%\System32\explore.exe;
 f:%WINDIR%\System32\ svchost.exe;
@@ -71,53 +65,45 @@ f:%WINDIR%\System32\CHJO.DRV;
 f:%WINDIR%\System32\MMSYSTEM.DLX;
 f:%WINDIR%\System32\OLECLI.DL;
 
-
-[Beagle worm] [any] []
+[Beagle worm {PCI_DSS: 11.4}] [any] []
 f:%WINDIR%\System32\winxp.exe;
 f:%WINDIR%\System32\winxp.exeopen;
 f:%WINDIR%\System32\winxp.exeopenopen;
 f:%WINDIR%\System32\winxp.exeopenopenopen;
 f:%WINDIR%\System32\winxp.exeopenopenopenopen;
 
-
 # http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99
-[Gpcoder Trojan] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99]
+[Gpcoder Trojan {PCI_DSS: 11.4}] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99]
 f:%WINDIR%\System32\ntos.exe;
 f:%WINDIR%\System32\wsnpoem;
 f:%WINDIR%\System32\wsnpoem\audio.dll;
 f:%WINDIR%\System32\wsnpoem\video.dll;
 r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe;
 
-
 # [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2
-[Looked.BK Worm] [any] []
+[Looked.BK Worm {PCI_DSS: 11.4}] [any] []
 f:%WINDIR%\uninstall\rundl132.exe;
 f:%WINDIR%\Logo1_.exe;
 f:%Windir%\RichDll.dll;
 r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe;
 
-
-[Possible Malware - Svchost running outside system32] [all] []
+[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] []
 p:r:svchost.exe && !%WINDIR%\System32\svchost.exe;
 f:!%WINDIR%\SysWOW64;
 
-
-[Possible Malware - Inetinfo running outside system32\inetsrv] [all] []
+[Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] []
 p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe;
 f:!%WINDIR%\SysWOW64;
 
-
-[Possible Malware - Rbot/Sdbot detected] [any] []
+[Possible Malware - Rbot/Sdbot detected {PCI_DSS: 11.4}] [any] []
 f:%Windir%\System32\rdriv.sys;
 f:%Windir%\lsass.exe;
 
-
-[Possible Malware File] [any] []
+[Possible Malware File {PCI_DSS: 11.4}] [any] []
 f:%WINDIR%\utorrent.exe;
 f:%WINDIR%\System32\utorrent.exe;
 f:%WINDIR%\System32\Files32.vxd;
 
-
 # Modified /etc/hosts entries
 # Idea taken from:
 # http://blog.tenablesecurity.com/2006/12/detecting_compr.html
@@ -134,6 +120,3 @@ f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com;
 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com;
 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com;
 f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org;
-
-
-# EOF #
ossec-hids