[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-cvs] ossec-hids: rootkit_files.txt (HEAD) win_malware_rcl.txt (HEAD) [dcid]

Module name:	ossec-hids
Changes by:	dcid	07/08/21 21:39:34

Modified files:
	rootkit_files.txt win_malware_rcl.txt

Log message:
Description: Fixing netscreen decoder, the database daemon and adding a few more entries to the policy checks/ rootkit list...
Reviewed by: dcid
Bug:

Index: rootkit_files.txt
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/db/rootkit_files.txt,v
diff -u -r1.18 -r1.19
--- rootkit_files.txt	3 Apr 2007 22:16:00 -0000	1.18
+++ rootkit_files.txt	22 Aug 2007 00:39:34 -0000	1.19
@@ -460,6 +460,8 @@
 usr/bin/snick               ! Suspicious file ::rootkits/Suspicious.php
 usr/bin/kfl                 ! Suspicious file ::rootkits/Suspicious.php
 tmp/.dump                   ! Suspicious file ::rootkits/Suspicious.php
+var/.x                      ! Suspicious file ::rootkits/Suspicious.php
+var/.x/psotnic              ! Suspicious file ::rootkits/Suspicious.php
 */.log                      ! Suspicious file ::rootkits/Suspicious.php
 */ecmf                      ! Suspicious file ::rootkits/Suspicious.php
 */mirkforce                 ! Suspicious file ::rootkits/Suspicious.php

Index: win_malware_rcl.txt
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/rootcheck/db/win_malware_rcl.txt,v
diff -u -r1.1 -r1.2
--- win_malware_rcl.txt	21 Jul 2007 21:53:46 -0000	1.1
+++ win_malware_rcl.txt	22 Aug 2007 00:39:34 -0000	1.2
@@ -80,6 +80,15 @@
 f:%WINDIR%\System32\winxp.exeopenopenopenopen;
 
 
+# http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99
+[Gpcoder Trojan] [any] [http://symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99]
+f:%WINDIR%\System32\ntos.exe;
+f:%WINDIR%\System32\wsnpoem;
+f:%WINDIR%\System32\wsnpoem\audio.dll;
+f:%WINDIR%\System32\wsnpoem\video.dll;
+r:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -> userinit -> r:ntos.exe;
+
+
 # [http://www.symantec.com/security_response/writeup.jsp?docid=2006-112813-0222-99&tabid=2
 [Looked.BK Worm] [any] []
 f:%WINDIR%\uninstall\rundl132.exe;
OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.