A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2767  by Alex
 Fri Sep 17, 2010 7:12 am
It looks that Symantec's FixTDSS is able to remove TDL3 - tested on Jaxryley's sample.
 #2777  by nullptr
 Sat Sep 18, 2010 7:00 am
I like how the above sample writes debug text to the drive root. (debug.txt) :lol:
1312 DllMain|module: \\?\globalroot\lhjwnnds\vltmjrsb\tdlcmd.dll version: 0.2
1312 isProcess|iexplore.exe
1312 isProcess|isBrowser: iexplore.exe TRUE
1312 ModuleAdd|tdlcmd (00260000): \\?\globalroot\lhjwnnds\vltmjrsb\tdlcmd.dll
1312 HOOKWSPStartup|start hooking 1312
1312 initsettings|botid: xxxxxxxxxxxf04a530b49a092c7d006de7e affid: 93035 socks: 0 reboots: 2 uptime: 0 version: 0.2
1312 HOOKDnsQuery_W|DnsQuery_W
1312 HOOKDnsQuery_W|DnsQuery_W
1312 CheckDomain|start CheckDomain http://www.google.com.au
1312 CheckDomain|CheckDomain(http://www.google.com.au) 0x635d7d4a
1312 _strformat|alloced: 30 printed: 25
1312 ClickerSendCheck|url: http://www.google.com.au/ ref: (null)

URL redirection in latest samples with tdlcmd v 0.2 seems a bit hit and miss. Search tdsskiller, click the kaspersky link. Sometimes it takes a couple of tries to get there.
 #2796  by EP_X0FF
 Sun Sep 19, 2010 10:57 am
Seems to be last days of TDL3 :) Shutdown is near.
 #2811  by xfoo()
 Mon Sep 20, 2010 4:47 pm
hi,

new tdl4 version appeared, 0.03 (cfg.ini)
main change is the injected code by apc,
for example after execute the \\?\globalroot\\.. string is overwritten by zeros,
so dumper won't work. Probably tdl authors read the forum too.

xfoo()
 #2815  by Fabian Wosar
 Mon Sep 20, 2010 9:39 pm
Hi guys,

Attached you find the new dropper that was mentioned a few posts above. Unfortunately the only submitted sample we got so far is in form of a dropped DLL. For convenience I have included the original sample we got as well as a reconstructed dropper (DLL file converted back to an executable). The dumped files from the encrypted storage are included as well.

If anyone wants an updated version of the dump tool please drop me a PM.

Config:
Code: Select all
[main]
version=0.03
aid=40124
sid=0
builddate=4096
rnd=179605362
[inject]
*=cmd.dll
[cmd]
srv=https://nichtadden.in/;https://91.212.226.67/;https://li1i16b0.com/;https://zz87jhfda88.com/;https://n16fa53.com/;https://01n02n4cx00.cc/;https://lj1i16b0.com/
wsrv=http://zl00zxcv1.com/;http://zloozxcv1.com/;http://71ha6dl01.com/;http://axjau710h.com/;http://rf9akjgh716zzl.com/;http://dsg1tsga64aa17.com/;http://l1i1e3e3oo8as0.com/;http://7gafd33ja90a.com/;http://n1mo661s6cx0.com/
psrv=http://clkh71yhks66.com/
version=0.14
Attachments
Password: infected
(165.87 KiB) Downloaded 102 times
 #2818  by EP_X0FF
 Tue Sep 21, 2010 12:36 am
There is no need to post analysis tools in that thread, obviously that help to bypass them.
  • 1
  • 21
  • 22
  • 23
  • 24
  • 25
  • 60