No in my tests the conflict was in BCD relationships. Some crack, (I don't remember it's name, I've renamed it to win7crack years ago) with green star icon, removed the parent BCD from the default boot entry, so it does not inherit TDL's patched entry. This leads it to "kdcom 0xc0000427" error (or just system recovery in case of win7).
A forum for reverse engineering, OS internals and malware analysis
Posts related to newly discovered Black Energy 2+ rootkit moved to dedicated thread.
Ring0 - the source of inspiration
Posts related to Fake AV moved to dedicated thread.
If you unsure what kind of malware you have, please create standalone topic about this. There is no need to do heap/requests filial in TDL thread.
If you unsure what kind of malware you have, please create standalone topic about this. There is no need to do heap/requests filial in TDL thread.
Ring0 - the source of inspiration
Have been off on Vacation for a while, seems ive missed a few things. :(
Have yet to ID this dropper as it was all a mess from the get-go.
Have yet to ID this dropper as it was all a mess from the get-go.
Attachments
(59.82 KiB) Downloaded 59 times
Arrogance led me to my Ignorance
Just got this with a fake AV - av8
http://virusscan.jotti.org/en/scanresul ... 0eb36df752 - 0/19
VT still getting hammered.
"We should have shotguns for this kind of deal" :lol: Pulp Fiction
http://virusscan.jotti.org/en/scanresul ... 0eb36df752 - 0/19
VT still getting hammered.
"We should have shotguns for this kind of deal" :lol: Pulp Fiction
[main]
version=0.03
aid=00136
sid=0
builddate=4096
rnd=0003962763
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://kangojim1.com/;hxxps://lkaturi71.com/;hxxps://rukkeianno.in/;hxxps://neywrika.in/;hxxps://86b6b6b6.com/
wsrv=hxxp://rudolfdisney.com/;hxxp://crozybanner.com/;hxxp://imagemonstar.com/;hxxp://funimgpixson.com/;hxxp://bunnylandisney.com/
psrv=hxxp://cri71ki813ck.com/
version=0.11
Attachments
password: malware
(170.11 KiB) Downloaded 101 times
(170.11 KiB) Downloaded 101 times
Nice article on Hakin9 magazine focusing on TDSS :
In the series of two articles we will uncover the hidden mechanisms of the biggest botnet known so far: TDSS botnet.http://hakin9.org/magazine/1544-spyware ... s-watching
This first article of the series tells the real story of breaking into the botnet, from scratch to root, which had to be done in order to gain access to private managementscripts. A lot of details are revealed in this part:
• The malware distribution campaign web scripts, vulnerabilities, and database
• The botnet’s network protocol encryption algorithm
• SQL vulnerabilities on the C&C server
• The botnet’s HTTP gateway configuration
• The control panel configuration
• And more.
Ring0 - the source of inspiration
Alureon unrelated malware analysis moved to separate topic TrojanDownloader:Win32/Harnig.S and its payload.
Ring0 - the source of inspiration
Can't seem to do anything with this one as it won't run sandboxed and BSOD's my XP VM if anyone wants to take a look?
http://virscan.org/report/3ac4c4a48f027 ... b2a21.html
What's going on over VT? Seems to be having probs nearly every day?
hxxp://www.thatsfitlife.com/temp/dogma.exeScanner results : 14% Scanner(s) (5/36) - AntiVir - TR/Code.lkx.7 - MD5 : 7aad9aa2d3b6f6dd80f3e3dd7da65cb9
http://virscan.org/report/3ac4c4a48f027 ... b2a21.html
What's going on over VT? Seems to be having probs nearly every day?
Last edited by Jaxryley on Wed Nov 10, 2010 1:20 pm, edited 1 time in total.
