[LeastPrivilege]

Can you try TDSSKiller or GMER MBRFix?

[Quads]

As I said in previous post stuffed boot sector

You can't try those when you can't boot Windows. It's that is simple that if you have a screwed Boot sector how do you then boot Windows to load to the desktop then download TDSSkiller, GMER, MBRfix.
As you can't boot Windows you can't use those tools, as there is no CD/DVD drive due to being a notebook CD's are useless.

Quads

[IndiGenus]

Make a bootable USB drive with XP on it... then you can get to recovery options....fixmbr, etc...

[Quads]

had a thought (dangerous I know)

Due to Netbooks generally using OEM MBR's just replacing the MBR with a standard XP MBR can cause problems so..................

But if AV's that can cure / clean / repair the Boot sector(s) of the likes of TDL4 if lucky they give away free bootable USB versions of their AV's just like Bootable CD's, So Dr Web, Kaspersky can cure the Boot Sector.

So Might be lucky.

Quads

[rossetoecioccolato]

PerpetualHorizon,

If you will permit me one additional question, in your blog post you state that:

"The error messages seen below are not a concern, they are just indicators that not all areas of memory can be safely read."

How did you make the determination that the areas of physical memory that M* was unable to read did not contain pertinent evidence? Did you acquire those physical addresses by some other means and determine that the contents were not relevant? Specifically, did you look for a real mode INT 13h hook? Maybe not TDL but some other bootkits relocate their real mode IVT INT 13h hook code to one of those regions.

> I have the TDL4 filesystem if you would like to mess with it. <

Which sample did you use to infect your VM. If you contact me offline I will take a look at it. However, the code that is already unpacked in memory is really a lot more useful to me.

Rossetoecioccolato.

[PerpetualHorizon]

PerpetualHorizon,

If you will permit me one additional question, in your blog post you state that:

"The error messages seen below are not a concern, they are just indicators that not all areas of memory can be safely read."

How did you make the determination that the areas of physical memory that M* was unable to read did not contain pertinent evidence? Did you acquire those physical addresses by some other means and determine that the contents were not relevant? Specifically, did you look for a real mode INT 13h hook? Maybe not TDL but some other bootkits relocate their real mode IVT INT 13h hook code to one of those regions.

> I have the TDL4 filesystem if you would like to mess with it. <

Which sample did you use to infect your VM. If you contact me offline I will take a look at it. However, the code that is already unpacked in memory is really a lot more useful to me.

Rossetoecioccolato.

Rossetoecioccolato,

I did not investigate this personally although I had intended to do so. An email exchange with one of the helpful devs of Memoryze explained the matter and pointed me to a link on the Mandiant website discussing mem areas that could not be read by memorydd. I was concerned about the possibility of malware hiding from a memdump, and never did determine why win32dd didn't work, but I got what I needed and did not dig further. I am honestly not certain the best way to acquire the physical addresses that memorydd missed, but I suppose I could have ran a memory map, and dumped those sections looking for a hook, but it didn't seem important enough to explore at the time.

I did not infect a VM - I ran analysis on a bare metal box that experienced a real-world infection. I do not have the original TDL4 installer for this particular infection, but of course we could collect others.

Have a great day and thanks for the information.
PH

[PX5]

I have not had time to check this one out but the forged file info made me think of a certain someone. :)

[EP_X0FF]

According to Thread Posting Rules (see 1 page, 1 post) offtopic has been erased.

[EP_X0FF]

I have not had time to check this one out but the forged file info made me think of a certain someone. :)

TDL4

[main]
version=0.03
aid=11516
sid=0
builddate=351
rnd=507921405
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;
hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;
hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15

[cjbi]

I'm sure this is TDL4! :mrgreen:

VirusTotal result(s)
http://www.virustotal.com/file-scan/rep ... 1298402243