X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=src%2Frootcheck%2Fdb%2Fwin_malware_rcl.txt;h=03ed59446ac5697440e67be0f225205a7e69c3e1;hp=d3dc72dec7b2af534a41c85f7e00aa62afd67bd8;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/src/rootcheck/db/win_malware_rcl.txt b/src/rootcheck/db/win_malware_rcl.txt index d3dc72d..03ed594 100644 --- a/src/rootcheck/db/win_malware_rcl.txt +++ b/src/rootcheck/db/win_malware_rcl.txt @@ -1,11 +1,8 @@ -# @(#) $Id: ./src/rootcheck/db/win_malware_rcl.txt, 2011/09/08 dcid Exp $ - -# -# OSSEC Windows Malware list - (C) 2007 Daniel B. Cid - dcid@ossec.net +# OSSEC Windows Malware list - (C) 2018 OSSEC Project # # Released under the same license as OSSEC. # More details at the LICENSE file included with OSSEC or online -# at: http://www.ossec.net/en/licensing.html +# at: https://github.com/ossec/ossec-hids/blob/master/LICENSE # # [Malware name] [any or all] [reference] # type:; @@ -16,34 +13,32 @@ # - p (process running) # # Additional values: -# For the registry , use "->" to look for a specific entry and another -# "->" to look for the value. +# For the registry and for directories, use "->" to look for a specific entry and another +# "->" to look for the value. +# Also, use " -> r:^\. -> ..." to search all files in a directory # For files, use "->" to look for a specific value in the file. # -# # Values can be preceeded by: =: (for equal) - default +# # Values can be preceded by: =: (for equal) - default # r: (for ossec regexes) # >: (for strcmp greater) # <: (for strcmp lower) # Multiple patterns can be specified by using " && " between them. # (All of them must match for it to return true). - # http://www.iss.net/threats/ginwui.html -[Ginwui Backdoor] [any] [http://www.iss.net/threats/ginwui.html] +[Ginwui Backdoor {PCI_DSS: 11.4}] [any] [http://www.iss.net/threats/ginwui.html] f:%WINDIR%\System32\zsyhide.dll; f:%WINDIR%\System32\zsydll.dll; r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zsydll; r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -> AppInit_DLLs -> r:zsyhide.dll; - # http://www.symantec.com/security_response/writeup.jsp?docid=2006-081312-3302-99&tabid=2 -[Wargbot Backdoor] [any] [] +[Wargbot Backdoor {PCI_DSS: 11.4}] [any] [] f:%WINDIR%\System32\wgareg.exe; r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg; - # http://www.f-prot.com/virusinfo/descriptions/sober_j.html -[Sober Worm] [any] [] +[Sober Worm {PCI_DSS: 11.4}] [any] [] f:%WINDIR%\System32\nonzipsr.noz; f:%WINDIR%\System32\clonzips.ssc; f:%WINDIR%\System32\clsobern.isc; @@ -58,9 +53,8 @@ f:%WINDIR%\System32\cvqaikxt.apk; f:%WINDIR%\System32\sysmms32.lla; f:%WINDIR%\System32\Odin-Anon.Ger; - # http://www.symantec.com/security_response/writeup.jsp?docid=2005-042611-0148-99&tabid=2 -[Hotword Trojan] [any] [] +[Hotword Trojan {PCI_DSS: 11.4}] [any] [] f:%WINDIR%\System32\_; f:%WINDIR%\System32\explore.exe; f:%WINDIR%\System32\ svchost.exe; @@ -71,53 +65,45 @@ f:%WINDIR%\System32\CHJO.DRV; f:%WINDIR%\System32\MMSYSTEM.DLX; f:%WINDIR%\System32\OLECLI.DL; - -[Beagle worm] [any] [] +[Beagle worm {PCI_DSS: 11.4}] [any] [] f:%WINDIR%\System32\winxp.exe; f:%WINDIR%\System32\winxp.exeopen; f:%WINDIR%\System32\winxp.exeopenopen; f:%WINDIR%\System32\winxp.exeopenopenopen; f:%WINDIR%\System32\winxp.exeopenopenopenopen; - # http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99 -[Gpcoder Trojan] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99] +[Gpcoder Trojan {PCI_DSS: 11.4}] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99] f:%WINDIR%\System32\ntos.exe; f:%WINDIR%\System32\wsnpoem; f:%WINDIR%\System32\wsnpoem\audio.dll; f:%WINDIR%\System32\wsnpoem\video.dll; r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe; - # [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2 -[Looked.BK Worm] [any] [] +[Looked.BK Worm {PCI_DSS: 11.4}] [any] [] f:%WINDIR%\uninstall\rundl132.exe; f:%WINDIR%\Logo1_.exe; f:%Windir%\RichDll.dll; r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> load -> r:rundl132.exe; - -[Possible Malware - Svchost running outside system32] [all] [] +[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] [] p:r:svchost.exe && !%WINDIR%\System32\svchost.exe; f:!%WINDIR%\SysWOW64; - -[Possible Malware - Inetinfo running outside system32\inetsrv] [all] [] +[Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] [] p:r:inetinfo.exe && !%WINDIR%\System32\inetsrv\inetinfo.exe; f:!%WINDIR%\SysWOW64; - -[Possible Malware - Rbot/Sdbot detected] [any] [] +[Possible Malware - Rbot/Sdbot detected {PCI_DSS: 11.4}] [any] [] f:%Windir%\System32\rdriv.sys; f:%Windir%\lsass.exe; - -[Possible Malware File] [any] [] +[Possible Malware File {PCI_DSS: 11.4}] [any] [] f:%WINDIR%\utorrent.exe; f:%WINDIR%\System32\utorrent.exe; f:%WINDIR%\System32\Files32.vxd; - # Modified /etc/hosts entries # Idea taken from: # http://blog.tenablesecurity.com/2006/12/detecting_compr.html @@ -134,6 +120,3 @@ f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:kaspersky|grisoft.com; f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:symantecliveupdate.com; f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:clamav.net|bitdefender.com; f:%WINDIR%\System32\Drivers\etc\HOSTS -> r:antivirus.com|sans.org; - - -# EOF #