A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1116  by EP_X0FF
 Tue May 18, 2010 1:31 pm
6.00.2.04010 it was CureIt (I should mention this in first post).
 #1117  by gjf
 Tue May 18, 2010 3:10 pm
One of sources of infection: it becames quite active as for my work network :)
You will obtain a spam:
SMTP and POP3 servers for your@e-mail.here mailbox are changed. Please carefully read the attached instructions before updating settings.

http://deletedhost/card.zip
Sometimes the e-mail has an attachment, sometimes - just a link.

API calls during infection of sandbox is attached
(3.36 KiB) Downloaded 57 times
As you can see possible malware founds some tricks in explorer.exe handle and shuttes down. OK, will try to fool it at home, I have some ideas :)

So after infection of virtual machine all works as allways - after reboot TDL3 tries to reach the following URL:
[url]hxxp://clkmfd001.ws/EzZ2IfCl5C3qZJU0Y2xrPTEuMjEmYmlkPWU3MWM1MWY2LTUxNTEtNDFkMS1hMjk1LTRlMDUwMTMyMDNmMiZhaWQ9MjAxMDUmc2lkPTAmcmQ9MTguNS4yMDEw16c[/url]

The most interesting: eSage utility found the infection but after reboot could not delete it! I will try to repeat it at home, because this is something unusual.

Kaspersky TDSS Killer effectively removed the malware. BTW Kaspersky detects the sample only by heuristic engine at the time of thie post publication.

The sample is attached also.
(80.88 KiB) Downloaded 82 times
Last edited by a_d_13 on Tue May 18, 2010 6:23 pm, edited 1 time in total. Reason: Disabled URL
 #1118  by gjf
 Tue May 18, 2010 3:55 pm
I beg a pardon from eSage - that was false alarm becaues eSage remover still works well. Don't know what was wrong at first run, but all other tries were successful.

So, ini is as follows:
Code: Select all
[main]
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
version=3.273
botid=e71c51f6-5151-41d1-a295-4e05013203f2
affid=20105
subid=0
installdate=18.5.2010 15:39:56
builddate=18.5.2010 6:47:35
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://li1i16b0.com/;https://19js810300z.com/;https://lj1i16b0.com/;https://zz87jhfda88.com/;https://n16fa53.com/;https://01n02n4cx00.cc/
wspservers=http://7gafd33ja90a.com/;http://n1mo661s6cx0.com/;http://30xc1cjh91.com/;http://j00k877x.cc/;http://m01n83kjf7.com/
popupservers=http
version=3.741
Dll detection, infected driver detection.

No news actually :(
 #1123  by PX5
 Wed May 19, 2010 12:05 am
Found some new batch of loaders, so far no cleaner I can find works, allthough an educated tour of rku lead me to a neat little trick to ID the actual infected driver.

I dont use VM for realtime testing, wont us VBox either, still too unstable, only use live, indeed Im sure it is infected but Kaspersky only farts in wind, Norman only wants to clean it over and over and over, CureIT, Pffft, 20MB dload to kill one infection, which I suspect it will fail too, the loaders at seriall will catch up maybe soon so all can have a play.

Odd in a VM I have no problems, actually have no problems in VBox cause it only BSOD on load, so defeat self. :lol:

Makes working in a support dept really suck sometimes, when I see certain messages about this infection, I suddenly have desire to go and mow the lawn or take the wife to dinner and i dont really even like my wife that much. :P
 #1124  by EP_X0FF
 Wed May 19, 2010 3:45 am
gjf wrote:
EP_X0FF wrote:It was beta version.
Which one - was? CureIt! in past or DrWeb (which able to cure TDL3) now?
I've retested Dr.Web Antivirus 6.0 from 28.04.2010 (downloaded from official site) against TDL3+.
Dr.Web has been updated to newest bases from 19.05.2010, newest components and has version 6.00.2.05140.
TDL3+ dropper has been updated to latest to make sure it won't be detected by signatures/heur.
[main]
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
version=3.273
botid=
affid=
subid=0
installdate=19.5.2010 3:39:15
builddate=19.5.2010 3:35:45
rnd=823518204
[injector]
*=tdlcmd.dll
[tdlcmd]
version=3.75
It can't detect/remove TDL3. Actually all what it was able to detect - mapped tdlcmd.dll as BackDoor.Tdss.565

Note: as you see with new tdlcmd there are no ip's and servers list now in config.ini, who want them, here they are
hxxps://873hgf7xx60.com
hxxps://34jh7alm94.asia
hxxps://112.121.181.26
hxxps://61.61.20.132
hxxps://68b6b6b6.com
hxxps://1iii1i11i1ii.com
hxxps://0o0o0o0o0.com
hxxp://mfdclk001.org
hxxp://lk01ha71gg1.cc
hxxp://zl091kha644.com
hxxp://a74232357.cn
hxxp://a76956922.cn
hxxp://91jjak4555j.com
hxxp://cri71ki813ck.com
Test sample attached.
http://www.virustotal.com/analisis/1531 ... 1274240886
Last edited by EP_X0FF on Sat Jul 10, 2010 3:08 am, edited 1 time in total. Reason: removed attach (10 July 2010)
 #1125  by gjf
 Wed May 19, 2010 7:27 am
EP_X0FF wrote:It can't detect/remove TDL3. Actually all what it was able to detect - mapped tdlcmd.dll as BackDoor.Tdss.565
It is exactly what I've tried to tell you, pal! :) Looks like there is no any "product" antivirus which is able to cure active infection. All vendors tries to produce some dedicatedtools to remove TDL3, but this tools use new technologies, sometimes not too stable. That's why they are not hurry to merge it with "products", I believe.
 #1126  by PX5
 Wed May 19, 2010 9:44 am
LOL@CureIt

It was worth the 30MB dload but on infected machine, you never reach this site, marco had to dload it for me and send it over, immediatly IDed TDL3 and erdadicated it.

Kudos to RKU LE, I wish I had learn to use this tool very long time ago, so many nice and useful functions, great job my friend. :D

Reboot and retest will tell story.
 #1127  by gjf
 Wed May 19, 2010 10:48 am
Concerning the last version - Norman TDSS Cleaner and eSage TDSS Remover effectively removes the infection. I was informed that Kaspersky TDSS Killer fails to do it in present time.

Maybe it would be interesting, but rootkit connects not only with servers in config. In my experiment config was as follows:
Code: Select all
[main]
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
version=3.273
botid=e71c51f6-5151-41d1-a295-4e05013203f2
affid=11418
subid=0
installdate=19.5.2010 9:52:49
builddate=19.5.2010 3:35:45
rnd=507921405
[injector]
*=tdlcmd.dll
[tdlcmd]
version=3.75
delay=7200
servers=https://873hgf7xx60.com/;https://34jh7alm94.asia/;https://112.121.181.26/;https://61.61.20.132/;https://68b6b6b6.com/;https://1iii1i11i1ii.com/;https://0o0o0o0o0.com/
wspservers=http://lk01ha71gg1.cc/;http://zl091kha644.com/;http://a74232357.cn/;http://a76956922.cn/;http://91jjak4555j.com/
popupservers=http://cri71ki813ck.com/
clkservers=http://lkckclckl1i1i.com/
but rootkit tried to connect
Code: Select all
http://mfdclk001.org/Cke141lP7b5qHIc5Y2xrPTEuNiZiaWQ9ZTcxYzUxZjYtNTE1MS00MWQxLWEyOTUtNGUwNTAxMzIwM2YyJmFpZD0xMTQxOCZzaWQ9MCZyZD0xOS41LjIwMTA=15x
Please note there was no mfdclk001.org in config (but possibly some of hosts just redirects there).

Injected dll, infected driver.
  • 1
  • 14
  • 15
  • 16
  • 17
  • 18
  • 40