A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1359  by USForce
 Tue Jun 29, 2010 8:13 am
They have analyzed one of the oldest variants of TDL3, the one that was hooking IRPs instead of creating a new fake device object. It's a bit too late for it (> 7 months)
 #1360  by EP_X0FF
 Tue Jun 29, 2010 11:36 am
Yes, this is very out-dated copy-pasted and adapted from T4L article story. Also F-Secure created another myth about rootkits - Trojan DownLoader while it is not it's acronym.
 #1361  by USForce
 Tue Jun 29, 2010 1:05 pm
I don't see the reason of releasing a new technical paper that covers an infection that is > 7 months old and it's even changed many times since then.
At least ESET wrote something better (though its SysInspector it's not able to detect what they have analyzed so carefully. This is hironic :D )
 #1365  by EP_X0FF
 Tue Jun 29, 2010 3:28 pm
Thanks :)
As you see it is very old sample.
[main]
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
version=3.273
botid=xxxx
affid=10054
subid=0
installdate=29.6.2010 15:22:41
builddate=11.5.2010 12:33:6
rnd=1993962763
knt=1277775341
[injector]
*=tdlcmd.dll
[tdlcmd]
version=3.747
bsh=a2708068166f37c9c65ee5c2c980a079fd0b9892
delay=7200
servers=hxxps://873hgf7xx60.com/;hxxps://jro1ni1l1.com/;hxxps://61.61.20.132/;hxxps://1iii1i11i1ii.com/;hxxps://61.61.20.135/;hxxps://0o0o0o0o0.com/;hxxps://68b6b6b6.com/;hxxps://34jh7alm94.asia/
wspservers=hxxp://lk01ha71gg1.cc/;hxxp://zl091kha644.com/;hxxp://a74232357.cn/;hxxp://a76956922.cn/;hxxp://91jjak4555j.com/
popupservers=hxxp://cri71ki813ck.com/
clkservers=hxxp://lkckclckl1i1i.com/
[tasks]
296201013541=!hxxp://mydeli.ru/1/034_crypted.exe

Payload VT Result (file in attach)
http://www.virustotal.com/ru/analisis/a ... 1277825053

This is Trojan Winlock, the same as posted previously :D
From the unpacked internals.
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit userinit.exe, \ u s e r i n i t . e x e Software\Microsoft\Windows\CurrentVersion\Run explorer TMP WTF?! ConsoleSelfCount Console OneCodeDone \ Trololo #32770 Program Manager Tahoma Shell32 ShellExecuteA ComSpec /c del " " >> NUL bldjad.exe Внимание! Попытки снять рекламный модуль без ввода кода приведут к нарушению работы Вашего ПК. Стоимость SMS сообщения 20 руб с НДС * Добровольно установив рекламный модуль для просмотра эро-видео вы согласились с правилами
пользования сервисом. Данный программный продукт не является вирусом, не блокирует “Диспетчер задач” и другое
программное обеспечение Вашего компьютера. Чтобы закрыть рекламный модуль: Введите полученный код: Рекламный модуль просмотра эро-видео сайта pornhub.com Для просмотра эро-видео перейдите по ссылке * Точную стоимость уточняйте тут . Рекламный модуль устанавливается на срок 30 дней. Стомость приведена из расчета одного дня работы Рекламного модуля. Отправьте SMS c текстом на номер Спасибо, код принят. 1 из 2 SMS получена. Отправьте вторую SMS с текстом Отключить BUTTON EDIT open hxxp://pornhub.com Неправильный код! Введите сюда код Спасибо. Код принят. Для продолжения работы, пожалуйста, перезагрузите компьютер. 1 %i Console ConsoleSize2
Attachments
pass: malware
(118.21 KiB) Downloaded 64 times
 #1372  by Meriadoc
 Wed Jun 30, 2010 4:35 pm
[main]
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
version=3.273
installdate=30.6.2010 16:31:28
builddate=30.6.2010 14:44:57
rnd=1123561945
knt=1277915747
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://873hgf7xx60.com/;hxxps://jro1ni1l1.com/;hxxps://61.61.20.132/;hxxps://1iii1i11i1ii.com/;hxxps://61.61.20.135/;hxxps://0o0o0o0o0.com/;hxxps://68b6b6b6.com/;hxxps://34jh7alm94.asia/
wspservers=hxxp://lk01ha71gg1.cc/;hxxp://zl091kha644.com/;hxxp://a74232357.cn/;hxxp://a76956922.cn/;hxxp://91jjak4555j.com/
popupservers=hxxp://cri71ki813ck.com/
version=3.83
delay=7200
clkservers=hxxp://lkckclckl1i1i.com/
bsh=f48f19f717781a8c2719a48e1f43edc44267666a
[tasks]
tdlcmd.dll=hxxps://112.121.181.26/rDbtafVZlDjA
1232010162759=!hxxp://85.17.136.18/download/shi5Aiku.exe
http://www.virustotal.com/analisis/f7e0 ... 1277912816
sigcheck: publisher....: C20 H25 N3 O

C20 H25 N3 O lol, LSD anyone?
 #1373  by EP_X0FF
 Thu Jul 01, 2010 4:49 am
Microsoft Security Essentials 1.0.1963.0 is able to successfully detect and cure active (and latest available) TDL3 infection.
Detection of infected driver is Win32/Alureon.H. For successful disinfection required one reboot.

Download link
http://www.microsoft.com/security_essen ... fault.aspx

First thread post updated.
 #1374  by Maniac
 Thu Jul 01, 2010 7:38 pm
SUPERAntiSpyware 4.40.1002 Final

Change log:
Resolved issue where handles were not freed under certain circumstances
Improved resource handling
Updated in-product updater preparing for major upcoming release 5.0
Additional TDSS Detection/Removal
 #1376  by EP_X0FF
 Fri Jul 02, 2010 3:25 am
Maniac wrote:SUPERAntiSpyware 4.40.1002 Final

Change log:
Resolved issue where handles were not freed under certain circumstances
Improved resource handling
Updated in-product updater preparing for major upcoming release 5.0
Additional TDSS Detection/Removal
No it can't.

I've tested SAS Free against TDL3 newest sample (in attach) - nothing.

http://www.virustotal.com/analisis/918a ... 1278039386
[main]
version=3.273
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
botid=
affid=20743
subid=0
installdate=2.7.2010 2:53:57
builddate=1.7.2010 11:46:52
rnd=1229272821
knt=1278039580
[injector]
*=tdlcmd.dll
[tdlcmd]
version=3.82
bsh=09079b499f8efefe1a98c1f997ef09be576fc14d
delay=7200
servers=hxxps://19js810300z.com/;hxxps://lj1i16b0.com/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/
wspservers=hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/;hxxp://j00k877x.cc/;hxxp://30xc1cjh91.com/;hxxp://m01n83kjf7.com/
popupservers=hxxp://clkh71yhks66.com/
clkservers=hxxp://z0g7ya1i0.com/
Last edited by EP_X0FF on Tue Jan 04, 2011 5:48 pm, edited 1 time in total. Reason: Removed attach (5 Jan 2011)
  • 1
  • 18
  • 19
  • 20
  • 21
  • 22
  • 40