[nullptr]

It seems highly aggressive compared to some early Ramnit.A. MSE identified the infected PE files as Ramnit.I and HTML as Ramnit.B

[markusg]

removed from infected pc.
http://www.virustotal.com/file-scan/rep ... 1292005339

[EP_X0FF]

Thanks. This is unusual SpyEye like bot.

It stores itself under %Program Files% folder and runs through autostart folder in Start menu. Bot payload dll named "hooker.dll" injected in memory of running processes.
When started bot spawned two IE copies and Windows Firewall blocked their activity.

Stuff from hooker.dll

{%08X-%04X-%04X-%04X-%08X%04X} ntdll.dll NtShutdownSystem kernel32.dll GetNativeSystemInfo
GetProductInfo SeDebugPrivilege SeShutdownPrivilege SeBackupPrivilege SeRestorePrivilege PROCESSOR_IDENTIFIER
HARDWARE\DESCRIPTION\System SOFTWARE\Microsoft\Windows\CurrentVersion SystemBiosVersion ProductId :///:
POSTGETHTTP/*.*
Host:{*}
Referer:{*}
/GET /%s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gif, image/x-xbitmap, *\*;q=0.1
Accept-Charset: utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1
Pragma: no-cache
Connection: close
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: max-age=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html
Location: Date: Last-Modified: ddd',' dd MMM yyyy hh':'mm':'ss GMT ntdll.dll ZwQuerySystemInformation
ZwQueryInformationProcess ZwQueryInformationThread LdrLoadDll LdrGetDllHandle LdrGetProcedureAddress
RtlInitUnicodeString RtlUnicodeStringToAnsiString RtlFreeAnsiString RtlInitString RtlAnsiStringToUnicodeString
RtlFreeUnicodeString ZwQueueApcThread ZwTerminateProcess ZwResumeThread ZwProtectVirtualMemory
RtlCreateUserThread ZwClose kernel32.dll ExitThread ExitProcess r e p l a c e k e y w o r d s r e f e r e r u r l
b l a c k l i s t w h i t e l i s t d n s c h a n g e r a l l u n i q A S C I I U T F 8 U N I C O D E { k e y w o r d } < * >
ntdll.dll LdrLoadDll ZwQueryDirectoryFile dnsapi.dll DnsQuery_A DnsQuery_W DnsQuery_UTF8 ws2_32.dll send
sendto recv recvfrom WSASend WSASendTo WSARecv WSARecvFrom closesocket {4F6F3382-2928-8E14-74D2-1A9D1CD12BCC}

[markusg]

this spyeye variannt i saw today 2 timesfrom 2 different persons. i can not send the secound, user has deleted before i was able to collect
have an other user and will try to collect the files.

[markusg]

spyeye, looks like for me. from infekted pc.
http://www.virustotal.com/file-scan/rep ... 1292428385

[EP_X0FF]

Not sure if this is still SpyEye. It has Autorunner behavior and misses rootkit functionality.

Cryptor + UPX

Payload dll "runner.dll" mapped to started Internet Explorer copy. IE blocked by Windows Firewall.

[markusg]

http://www.virustotal.com/file-scan/rep ... 1296831547
http://www.file-upload.net/download-318 ... j.rar.html

[EP_X0FF]

http://www.virustotal.com/file-scan/rep ... 1296831547
http://www.file-upload.net/download-318 ... j.rar.html

Autorunner worm (Cryptor + UPX -> MASM) with Stuxnet LNK vulnerability exploiting.
There are no evidences proving this is SpyEye.

Original dropper, unpacked dropper, payload dll (rmnsoft.dll) and exploit dll (runner.dll) in attach.
https://www.virustotal.com/file-scan/re ... 1296887112

This is Ramnit, posts moved.

[Xylitol]

0F15430C5BB59ED02D8703F89B6E8A00C53FF5C1.exe 17/42 >> 40.5%
http://www.virustotal.com/file-scan/rep ... 1305912106

A2B4DCB8A1E5BB706CFB13FE76CA363F7928EE4ACAF21FDADABC7AB36[...].exe 38/42 >> 90.5%
http://www.virustotal.com/file-scan/rep ... 1305929022

BF58D739006E38AA481000952CA28A0014EC963D.sys 9/43 >> 20.9%
http://www.virustotal.com/file-scan/rep ... 1305032323

found on 19 may 2k11 AMAG malware package.

[markusg]

ruppfmau.exe
MD5 : 06db41b721e1246296e1c843e8c7d45f
https://www.virustotal.com/file-scan/re ... 1323104124