[Fabian Wosar]

You don't have to submit a driver you want to sign to Microsoft or anything like that. You just get a code signing certificate, download a freely available cross certificate from Microsoft and use both to sign the driver. No waiting time except the time it takes to get the code signing certificate really.

This document outlines the whole process more detailed:
http://www.microsoft.com/whdc/driver/in ... rough.mspx

[Fabian Wosar]

Hitman Pro 3.5.6 build 112 BETA

• Added removal of TDL3 64-bit rootkit

Download: http://dl.surfright.nl/HitmanPro35beta_x64.exe

Works quite well on my testing systems. Do you replace the MBR with the original copy or do you use a "default" MBR?

[erikloman]

We restore the original.

[EP_X0FF]

Hitman Pro 3.5.6 build 112 BETA

• Added removal of TDL3 64-bit rootkit

Download: http://dl.surfright.nl/HitmanPro35beta_x64.exe

I've updated first page of this thread, thank you.

[LeastPrivilege]

erikloman wrote:
Hitman Pro 3.5.6 build 112 BETA

Added removal of TDL3 64-bit rootkit
Download: http://dl.surfright.nl/HitmanPro35beta_x64.exe

Yes, this works beautifully! Thank you. This is an answer for custom MBRs.

[LeastPrivilege]

Latest TDSSKiller v2.4.1.3:
\HardDisk0\MBR - will be cured after reboot
Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure

It worked. They must have updated it.

[sww]

It worked. They must have updated it.

Yeap. In product "when it's done" :)

[4r0]

Another sample.
SI3112r.sys - 4/ 40 (10.0%) - MD5 : c09be54c50a1554e041ccf0217507d46
http://www.virustotal.com/file-scan/rep ... 1282952316

SI3112r.rar

VirLab's (Kaspersky) answer:
"SI3112r.sys
No malicious code was found in this file.
Best Regards, Kaspersky Lab"
0_o

A few more droppers. Essentially there are 2 major variants out there (125,440 and 126,464 bytes large) with each having several further variations. From what I can say so far nothing has changed except the way they are packed in order to fool signature based detections.

Can you share links to the new samples of TDSS x64?

[bytejammer]

Latest TDSSKiller v2.4.1.3:
\HardDisk0\MBR - will be cured after reboot
Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure

It worked. They must have updated it.

I downloaded TDSSKiller from here but it failed to fix the MBR on my Windows 7 Professional x64 session. Do you have newer version of TDSSKiller or a different sample (I used this dropper)?

[SecConnex]

Shall we call this x64 version of TDSS, TDL4?

Seems by that TDSSKiller log, they have gone ahead and named it TDL4.

Also, this is a somewhat new infection routine to directly infect the MBR, instead of an actual system file.