A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2549  by EP_X0FF
 Tue Aug 31, 2010 2:01 am
erikloman wrote:I suggest we let EP_X0FF decide how we should address this variant.
I call it TDL 3.5 :) or TDL3++

Not sure if it still belongs to same dev team, maybe it's actual name something like "Xyita 0.2" :))
 #2553  by sww
 Tue Aug 31, 2010 5:00 am
EP_X0FF wrote:I call it TDL 3.5 :) or TDL3++
Not sure if it still belongs to same dev team, maybe it's actual name something like "Xyita 0.2" :))
LOOOOL! :)

But in KL we will call it TDL4, 'coz of x64 and MBR infection mechanism.
 #2557  by notkov
 Tue Aug 31, 2010 8:44 am
kakaraka wrote: You got it wrong, but you have some imagination... Too bad it did not not help you recognize the RC4 function in the MBR code.
Ok, so besides RC4 part that i didn't recognize, why did I get it wrong?
Some older TDL3 versions only had XOR encryption. I'm not really sure when that changed, but that can be easily checked. I do not understand that sarcasm from what are you saying.
 #2565  by s23
 Tue Aug 31, 2010 2:09 pm
notkov wrote:
Nope, a simple single No prevented the file from running. Even if it was an infinite loop of UAC messages, that would only make it obvious it's malicious.
You could obtain an infinte loop if p1 (that doesn't need admin rights) drops in temp-dir p2 (that needs admin rights) and does a CreateProcess in a loop, until the process is created (let's say, signaled by a mutex). It would make it obvious it's malware? Belive me, most users will hit 'Yes' without even reading the warning.
Think can be circumvented changing the UAC local policies:

"Detect applications installations and prompt for elevation" : Disabled
and
"Only elevate executables that are signed and validated" : Enabled

Edit: typo
 #2566  by kakaraka
 Tue Aug 31, 2010 4:28 pm
notkov wrote:
kakaraka wrote: You got it wrong, but you have some imagination... Too bad it did not not help you recognize the RC4 function in the MBR code.
Ok, so besides RC4 part that i didn't recognize, why did I get it wrong?
Some older TDL3 versions only had XOR encryption. I'm not really sure when that changed, but that can be easily checked. I do not understand that sarcasm from what are you saying.
Because it's about what the threat does, and not what I or you could do, unless you (or maybe I) do want to be (or are already are) one of those zombies spreading it.
 #2567  by notkov
 Tue Aug 31, 2010 6:27 pm
kakaraka wrote: Because it's about what the threat does, and not what I or you could do, unless you (or maybe I) do want to be (or are already are) one of those zombies spreading it.
Well, you got it wrong then :) We are talking about malware(TDL) here and possible threats (past/present/future).
Don't worry, I'm not spreading malware, only on my test systems maybe :)) . And I'm sure you are not doing that either. And I do not think that this forum is an inspiration for blackhats.
 #2569  by Alex
 Tue Aug 31, 2010 7:48 pm
Yes this is TDL3 dropper.
[main]
version=3.273
id=be3fa69006e0d04e510bd440118518098807
installdate=1283283321
[injector]
*=tdlcmd.dll
  • 1
  • 13
  • 14
  • 15
  • 16
  • 17
  • 60