[rkhunter]

heard a lot of questions regarding malware that contain x64 modules on board and work fine on x32 and x64 with payload, here an idea to collect some families together;

• ZeroAccess (aka Sirefef) backdoor: ZeroAccess (alias MaxPlus, Sirefef)
• Ursnif stealer: Ursnif - New Blackhole spreading malware
• TDL 4: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)
• Cidox/Mayachok.2: Trojan.Mayachok.2
• Gapz: Bootkit: Win32/Gapz
• Sinowal: Win32/Sinowal (alias Mebroot)
• Necurs: Necurs - another x64 rootkit
• PlusDriver: WinNT/Gowfi - Rootkit Banker (alias KillFiles, KillAV)
• Weelsof: Ransom Weelsof
• Winnti: Winnti backdoor
• Mediyes: WinNT/Mediyes
• Viknok: WinNT/Viknok

[EP_X0FF]

Sinowal has user mode backdoor for x64.
Necurs has a compatible driver agent for x64.
Some of Bankers with rootkit component too.
Ransom Weelsof has x64 module.
Some variants of Koobface too.

x64 modules are not really popular because old win32 code can do most of the job from wow64, except specific injects (IE) etc and having standalone version of malware in dropper increase it size plus pe32+ crypter cost. Maybe when most of browsers will be x64 we will see rise of win64 malware.

[rkhunter]

To EP_X0FF: can we pin this topic? Add link to Winnti topic to the first post, please.

[EP_X0FF]

To EP_X0FF: can we pin this topic? Add link to Winnti topic to the first post, please.

Updated and linked here http://www.kernelmode.info/forum/viewto ... =16&t=2680

[R136a1]

• Trojan:WinNT/Mediyes