[EP_X0FF]

How many times you will bump this thread for necroposting with stuff actually already posted there or ripped by Prevx from this site? Thread closed until any rootkit updates.

[EP_X0FF]

Damballa article about network infrastructe of TDL4

https://www.damballa.com/downloads/r_pu ... public.pdf

In the end of article you may notice snapshots that indicating old TDL4 rootkit presence with updated cmd.dll version.

[Quads]

Hi

Does anyone have a backed up copy of the BCD with the Pihar /TDL4 custom code inside??

Thanks

Quads

[Cassiel]

Hi

I have a copy of Purple haze which I included, is this what you are looking for ?

Cassiel

[Quads]

Thanks anyway, but NO

I have all that,there is a reason why I asked for the BCD with custom code inside and didn't ask for the rest, the rest is easy to create, I can't get the BCD to patch with the custom code.

Quads

[EP_X0FF]

TDL4 AFAIR was patching BCD by ldr16 in memory. Did you tried dump BCD of already infected machine?

[Quads]

I can infect my systems, It is just that the BCD is not touched (no custom code)

And trying to get some PC users to follow instructions to run a program is hard enough at times, I hope they don't drive a car like they drive a PC.

Quads

[Cody Johnston]

Hello All

I had reports of this infection on a few PCs today. Here is dump of the MBR:

VT: 2/45

MD5: 4f60b4812fdd195362bba7c1ab573324

https://www.virustotal.com/en/file/24a2 ... 363890022/

[EP_X0FF]

TDL4 clone, combination of MaxSS/TDL4/Pihar. Bugged like hell.

New active entry in partition table -> ldrm (copy of TDL4 mbr code with usual ror decryption cycle) -> ldr16 -> ldr32/ldr64 -> drv32/drv64 (lolkit itself) -> cmdXX.dll -> profit. Rendered machine into unbootable state.

Config simplified, dropper contain UAC COM elevation dll (Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}), similar to that used by Win32/Simda and seems insipired by this code http://www.pretentiousname.com/misc/W7E ... t.cpp.html

SHA256: f3773764307cad8af08519db29b490124aa1f068a5e5373b7aaf56c7fe8f8793
SHA1: 62db6704a6a32389b17be46552f6d2cab26363ad
MD5: 03d41f944eea9c4be5f5e34a74f03462

https://www.virustotal.com/en/file/f377 ... /analysis/

Rootkit components stored without encryption at the end of the disk, Pihar FS. SD marked sector describes whole directory.

All extracted components attached.

[R136a1]

New TDL Clones in the Wild: http://labs.bitdefender.com/2013/04/new ... -the-wild/