A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9498  by rough_spear
 Tue Nov 01, 2011 5:45 pm
Hi All, :D
I m back with TDL4 and it's plugin. :lol:
including most awaited socks.dll :twisted:

Code: Select all
[main]
version=0.03
aid=30022
sid=0
builddate=351
rnd=854245398
knt=1320123429
[inject]
*=cmd.dll
* (x64)=cmd64.dll
svchost.exe=socks.dll
[cmd]
srv=https://195.3.145.111/;https://212.36.9.52/;https://91.213.29.63/;https://tr1ck-track.com/;https://188.95.52.162/;https://mo0nviser.com/
wsrv=http://gnarenyawr.com/;http://rinderwayr.com/;http://jukdoout0.com/;http://swltcho0.com/;http://ranmjyuke.com/
psrv=http://crj71ki813ck.com/
version=0.31
bsh=b77f22b74a6630d91d7f44bdafb7ce6426cde915
delay=7200
csrv=http://lkckclcklii1i.com/
dlc_srand=103
ns_conf=0
ssl=http://revalati0n-startup.com:8344/
[tasks]
[socks]
port=35211
[tslcaloc]
svchost.exe=180| -g yes -t 1 -o http://pacrim.eclipsemc.com:8337/ -u ilnick89_1 -p 112233
kwrd=300|conhost.exe| -g no -t 1 -o http://generic--t00ls.com:8344/ -u %s -p %s
Regards,


rough_spear. ;)
Attachments
password - malware.
(279.8 KiB) Downloaded 237 times
 #9519  by limiter
 Thu Nov 03, 2011 12:09 pm
Cheers rough_spears going to have a look at this in more detail! I read recently that TDL4 had been updated and checked for VM's. Does the infection run in a virtual machines or does it check and then stop it's self.
 #9521  by EP_X0FF
 Thu Nov 03, 2011 12:38 pm
limiter wrote:I read recently that TDL4 had been updated and checked for VM's. Does the infection run in a virtual machines or does it check and then stop it's self.
Where did you get this? In ESET article? This is not TDL4. That somehow mistakes of others spawning ridiculous legends and myths.
 #9523  by EP_X0FF
 Thu Nov 03, 2011 1:20 pm
limiter wrote:Has anyone got an infected binary of TDL4? can't seem to find a new one around any help would be great really wanna analyse it.
Ok, one more time. Before posting anything in this thread it is highly recommended to read this thread starting from 1 page to current. Flooding it with "give me sample" posts are not welcomed. Such posts will be removed and if required - user will be banned.
 #9765  by EP_X0FF
 Sat Nov 19, 2011 3:58 pm
steward wrote:Why dead?
Call 1-800-TDSS for more info.
Would you explain that?Please
There is new TDL4 version branch ITW - MaxSS/SST. TDL4 as well as it predecessor refined TDL3 still can be found itw. Don't ask for fresh sample - if someone has it - it will share.
 #10410  by erikloman
 Fri Dec 16, 2011 3:04 pm
Hi all. I am looking for a specific TDL4 (or variant) dropper that uses ACPI.sys (XP 32-bit) to conceal its DEVICE_OBJECT hijacking. Thanks!
  • 1
  • 54
  • 55
  • 56
  • 57
  • 58
  • 60