[Alex]

@LeastPrivilege

If you are talking about this dropper - "setup.exe - 7/43 - Sunbelt - Packed.Win32.Tdss.ae (v) - MD5 : 8d73a4cd281f178ac7896d54d7923728"
it is a classical TDL3 and it works well under VMWare with XP SP2:

[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
installdate=1285522457
[injector]
*=tdlcmd.dll

[Jaxryley]

Samples:

dllhost.exe - 9/43 - Sunbelt - Trojan.Win32.Alureon.Ch (v) - MD5 : a13d699c807aa3bff5a111dd4c65965e
http://www.virustotal.com/file-scan/rep ... 1285561037

AppleMobileDeviceHelper.exe - 8/43 - DrWeb - BackDoor.Tdss.4246 - MD5 : cf93e3244f0a693be28ac4e240c07885
http://www.virustotal.com/file-scan/rep ... 1285561678

Samples.rar

(172.62 KiB) Downloaded 86 times

[CloneRanger]

Fresh'ish sample

Scanner results : (3/35) found malware!

http://virscan.org/report/bc50c623d4501 ... 90bd8.html

PW = infected

[Julian]

Fresh'ish sample

Scanner results : (3/35) found malware!

http://virscan.org/report/bc50c623d4501 ... 90bd8.html

PW = infected

Doesn't seem to show any special behavior in VirtualBox compared to previous ones. :)

[Jaxryley]

hxxp://rentsatoday.com/.flyx4m/?getexe=dg.exe

dg.exe - 7/43 - F-Prot - W32/TDSS.B2.gen!Eldorad - MD5 : 93eb0604e07469f917f2639ecaa5d61d
http://www.virustotal.com/file-scan/rep ... 1286795297

dg.rar

(85.08 KiB) Downloaded 71 times

[nullptr]

SHA1 : 8a0021c7f8d68afa9b058ef502a00aaf7227cbb7 dg.exe
Some newish servers but otherwise stagnant.

[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
botid=
affid=
subid=
installdate=11.10.2010 11:29:54
builddate=11.10.2010 11:0:2
rnd=1993962763
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://nichtadden.in/;https://li1i16b0 ... i16b0.com/
wspservers=http://clikcpixelabn.com/;http://thinks ... tator.com/
popupservers=http://clkh71yhks66.com/
version=3.97

[PX5]

That one looks like Koob Droppings....

Code: Select all

http://rentsatoday.com/.flyx4m/?action=fbgen&v=135&crc=669
http://rentsatoday.com/.flyx4m/?action=fbgen&mode=s&age=2&a=13441600&v=135&fblogin=0&defbrowser=ie&ie=6.0.2900.2180
http://rentsatoday.com/.flyx4m/?getexe=ff2ie.exe
http://rentsatoday.com/.flyx4m/?getexe=udh.exe
http://rentsatoday.com/.flyx4m/?getexe=dg.exe
http://rentsatoday.com/.flyx4m/?getexe=m24.in.exe

[PX5]

These however, look much more tdl3+/tdl4

AhnLab-V3 2010.10.12.00 2010.10.11 -
AntiVir 7.10.12.184 2010.10.11 BOO/Alureon.A
Antiy-AVL 2.0.3.7 2010.10.11 -
Authentium 5.2.0.5 2010.10.11 -
Avast 4.8.1351.0 2010.10.11 -
Avast5 5.0.594.0 2010.10.11 -
AVG 9.0.0.851 2010.10.11 -
BitDefender 7.2 2010.10.11 Rootkit.Tdss.AW
CAT-QuickHeal 11.00 2010.10.11 -
ClamAV 0.96.2.0-git 2010.10.11 -
Comodo 6356 2010.10.11 -
DrWeb 5.0.2.03300 2010.10.11 BackDoor.Tdss.4005
eSafe 7.0.17.0 2010.10.11 -
eTrust-Vet 36.1.7905 2010.10.11 -
F-Prot 4.6.2.117 2010.10.11 -
F-Secure 9.0.15370.0 2010.10.11 Rootkit.Tdss.AW
Fortinet 4.2.249.0 2010.10.11 -
GData 21 2010.10.11 Rootkit.Tdss.AW
Ikarus T3.1.1.90.0 2010.10.11 Rootkit.Win32.TDSS
Jiangmin 13.0.900 2010.10.11 -
K7AntiVirus 9.65.2724 2010.10.11 -
McAfee 5.400.0.1158 2010.10.11 -
McAfee-GW-Edition 2010.1C 2010.10.11 -
Microsoft 1.6201 2010.10.11 Trojan:DOS/Alureon.A
NOD32 5521 2010.10.11 -
Norman 6.06.07 2010.10.11 -
nProtect 2010-10-11.01 2010.10.11 -
Panda 10.0.2.7 2010.10.11 -
PCTools 7.0.3.5 2010.10.11 -
Prevx 3.0 2010.10.11 -
Rising 22.69.00.01 2010.10.11 -
Sophos 4.58.0 2010.10.11 Troj/TdlMbr-A
Sunbelt 7038 2010.10.11 Trojan.Boot.Alureon.a (v)
SUPERAntiSpyware 4.40.0.1006 2010.10.11 -
Symantec 20101.2.0.161 2010.10.11 -
TheHacker 6.7.0.1.054 2010.10.10 -
TrendMicro 9.120.0.1004 2010.10.11 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.11 -
ViRobot 2010.10.4.4074 2010.10.11 -
VirusBuster 12.67.13.0 2010.10.11 -


AhnLab-V3 2010.10.11.00 2010.10.11 -
AntiVir 7.10.12.184 2010.10.11 -
Antiy-AVL 2.0.3.7 2010.10.11 -
Authentium 5.2.0.5 2010.10.11 -
Avast 4.8.1351.0 2010.10.11 -
Avast5 5.0.594.0 2010.10.11 -
AVG 9.0.0.851 2010.10.11 BackDoor.Generic13.HTM
BitDefender 7.2 2010.10.11 -
CAT-QuickHeal 11.00 2010.10.11 -
ClamAV 0.96.2.0-git 2010.10.11 -
Comodo 6353 2010.10.11 -
DrWeb 5.0.2.03300 2010.10.11 -
Emsisoft 5.0.0.50 2010.10.11 -
eSafe 7.0.17.0 2010.10.11 -
eTrust-Vet 36.1.7904 2010.10.11 -
F-Prot 4.6.2.117 2010.10.11 -
F-Secure 9.0.15370.0 2010.10.11 -
Fortinet 4.2.249.0 2010.10.11 -
GData 21 2010.10.11 -
Ikarus T3.1.1.90.0 2010.10.11 -
Jiangmin 13.0.900 2010.10.11 -
K7AntiVirus 9.65.2724 2010.10.11 -
Kaspersky 7.0.0.125 2010.10.11 Rootkit.Win32.Agent.bjqb
McAfee 5.400.0.1158 2010.10.11 -
McAfee-GW-Edition 2010.1C 2010.10.11 -
Microsoft 1.6201 2010.10.11 -
NOD32 5521 2010.10.11 a variant of Win32/Rootkit.Agent.NTT
Norman 6.06.07 2010.10.11 -
nProtect 2010-10-11.01 2010.10.11 -
Panda 10.0.2.7 2010.10.11 Trj/Sinowal.XFN
PCTools 7.0.3.5 2010.10.11 -
Prevx 3.0 2010.10.11 -
Rising 22.69.00.01 2010.10.11 -
Sophos 4.58.0 2010.10.11 -
Sunbelt 7037 2010.10.11 -
SUPERAntiSpyware 4.40.0.1006 2010.10.11 -
Symantec 20101.2.0.161 2010.10.11 -
TheHacker 6.7.0.1.054 2010.10.10 Trojan/Agent.ntt
TrendMicro 9.120.0.1004 2010.10.11 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.11 -
VBA32 3.12.14.1 2010.10.11 -
ViRobot 2010.10.4.4074 2010.10.11 -
VirusBuster 12.67.13.0 2010.10.11 -

[Julian]

These however, look much more tdl3+/tdl4

Yep, I tried one with SHA1 hash e3f9d41825ca05b96dcab8491256faffe2c2aae2 (dg.exe).
It works on Windows x64.
So, this means this malware is still under active developement for Windows x64 (not dead)?

If you block spoolsv.exe to install its drivers on x32 TDSS also wants to have direct disk access (MBR) on this OS as well. Is this new?
Then it shuts down Windows. Can anybody explain how it's doing this? The VM just closes rapidly and OSSS HIPS can't detect any attempt to shutdown Windows or to log off the user.
I dunno if it tries to install a bootkit or just to mess up the MBR, at least Windows doesn't boot anymore after spoolsv.exe had direct sector access.

[Jaxryley]

Code: Select all

http://christmasornies.com/.geaus/?getexe=ff2ie.exe
http://christmasornies.com/.geaus/?getexe=udh.exe
http://christmasornies.com/.geaus/?getexe=dg.exe
http://christmasornies.com/.geaus/?getexe=m24.in.exe

dg.exe - 11/42 - Avast - Win32:Alureon-JG - MD5 : 02a599b0cb382c0e9f1a5659dae84d55
http://www.virustotal.com/file-scan/rep ... 1287143146

All Four Samples.rar

(513.92 KiB) Downloaded 95 times