A forum for reverse engineering, OS internals and malware analysis 

Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Forum for analysis and discussion about malware.

Re: TR/Code.lkx.7

 #3406  by EP_X0FF
 Wed Nov 10, 2010 1:16 pm
This is TDL4.03 dropper.

new sort of quotes.
The Joan W. and Irving B. Harris Theater for Music and Dance is a 1525-seat theater for the performing arts located along the northern edge of Millennium Park in the Loop community area of Chicago.
%1d.%1d %04d SP%1d.%1d ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ %x%x%x%x%x%x prn3 %s|%s|%s|%x|%x|%s|%s %.*s %[^;];%[^;];%[^;]; \ f s d e v %.*s %.*s %[^;];%[^;];%[^;]; _snwprintf ntdll.dll imagepath \ { % 0 8 x - % 0 4 x - % 0 4 x - % 0 4 x - % 0 4 x % 0 8 x } \??\ system\currentcontrolset\services\%s type \ r e g i s t r y \ m a c h i n e \ % S cmd.dll \\?\globalroot%wZ\%s cfg.ini \\?\globalroot%wZ\%s bckfg.tmp \\?\globalroot%wZ\%s cmd.dll * inject aid main sid main %[^|]|%[^|]|%s srv cmd wsrv cmd psrv cmd %d.%d.%d %d:%d:%d \\?\globalroot\systemroot %d builddate main ldr16 \\?\globalroot%wZ\%s ldr32 \\?\globalroot%wZ\%s ldr64 \\?\globalroot%wZ\%s drv64 \\?\globalroot%wZ\%s cmd64.dll \\?\globalroot%wZ\%s cmd64.dll * (x64) inject drv32 \\?\globalroot%wZ\%s 0 0 \ ? ? \ c : \ ? ? \ p h y s i c a l d r i v e % d _snwprintf ntdll.dll %[^;];%[^;];%[^;]; \ { % 0 8 x - % 0 4 x - % 0 4 x - % 0 4 x - % 0 4 x % 0 8 x } %.*s %.*s %[^|]|%[^|]|%s [main]
aid=%s
sid=%s
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=%s
wsrv=%s
psrv=%s
cfg.ini mbr ldr16 ldr32 ldr64 drv32 drv64 cmd.dll cmd64.dll bckfg.tmp s e r v i c e s . e x e IsWow64Process kernel32 \ \ ? \ g l o b a l r o o t % s % s . m a n i f e s t . e x e . m a n i f e s t <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly> \ R P C C o n t r o l \ s p o o l s s \ \ ? \ g l o b a l r o o t % s \ ? ? \ G L O B A L R O O T \ R P C C o n t r o l \ s p o o l s s ZwConnectPort ntdll.dll spooler
[main]
version=0.03
aid=40311
sid=0
builddate=4096
rnd=1202660629
knt=1289395086
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://zz87lhfda88.com/;hxxps://01n02n4cx00.com/;hxxps://1l1i16b0.com/;hxxps://zz87ihfda88.com/;hxxps://10n02n4cx00.com/
wsrv=hxxp://cijkcplxelabn.com/;hxxp://aurelehopkin.com/;hxxp://blacklistchek.com/;hxxp://teiretorkie.com/;hxxp://pxlratotor.com/
psrv=hxxp://advcpworld.com/
version=0.15
bsh=7cc58f823385d3db130c319bc8c1eef122acbfd1
delay=7200
csrv=hxxp://z0g7yail0.com/
TDL files in attach

Our friend have a new stuff on board :)
RPC Control\spoolss
Attachments
pass: malware
(70.67 KiB) Downloaded 111 times

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #3410  by EP_X0FF
 Wed Nov 10, 2010 2:16 pm
IDA more-less friendly installer dll. Enjoy reversing.
Attachments
1.JPG
1.JPG (54.18 KiB) Viewed 671 times
pass: malware
(105.4 KiB) Downloaded 61 times

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #3439  by Jaxryley
 Fri Nov 12, 2010 8:11 am
Anything new in this dg.exe which is bsod-ing my XP VM?
hxxp:// hillsdemocrat.com/.uit970q/?getexe=dg.exe
hxxp:// hillsdemocrat.com/.uit970q/?getexe=ff2ie.exe
hxxp:// hillsdemocrat.com/.uit970q/?getexe=zup32.exe
hxxp:// hillsdemocrat.com/.uit970q/?getexe=m24.in.exe
dg.exe - 6/16 - Sophos - Mal/TDSSPack-Z - MD5: 73cce5d6a5880669f11ef6b7157e0b9b
http://virusscan.jotti.org/en/scanresul ... 553090f0d0
Pass:
malware
(496.62 KiB) Downloaded 69 times

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #3442  by STRELiTZIA
 Fri Nov 12, 2010 8:45 am
Hello,
Jaxryley wrote:Anything new in this dg.exe which is bsod-ing my XP VM?
No BSoD for me. VMWare + XP SP3
[main]
version=0.03
aid=40787
sid=0
builddate=4096
rnd=606747145
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://nl6fa53.com/;https://li1i16b0.c ... i16b0.com/
wsrv=http://ijmgwareh0use.com/;http://cljkcp ... tator.com/
psrv=http://cikh71ynks66.com/;http://clkh71yhks66.com/
version=0.15
Regards.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #3446  by Jaxryley
 Fri Nov 12, 2010 11:16 am
STRELiTZIA wrote:No BSoD for me. VMWare + XP SP3
XP Pro SP2 and Win 7 VM's - MS Virtual PC SP1 and both BSOD?

Thank's for checking the sample STRELiTZIA. 8-)

Image

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #3459  by EP_X0FF
 Sat Nov 13, 2010 5:05 am
Fresh sample.

7/43

http://www.virustotal.com/file-scan/rep ... 1289623819
[main]
version=0.03
aid=30020
sid=0
builddate=4096
rnd=1482476501
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://rukkeianno.com/;hxxps://kangojim1.com/;hxxps://lkaturi71.com/;hxxps://neywrika.in/;hxxps://86b6b6b6.com/
wsrv=hxxp://skolewcho.com/;hxxp://jikdooyt0.com/;hxxp://swltcho81.com/;hxxp://switcho81.com/;hxxp://rammyjuke.com/
psrv=hxxp://cri71ki813ck.com/
version=0.15
Died after reboot.
Attachments
pass: malware
(114.2 KiB) Downloaded 82 times

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #3474  by EP_X0FF
 Sat Nov 13, 2010 6:57 pm
Another sample with routers stuff on board. According to very high static detection ratio group definitely needs packer update/cleanup.

http://www.virustotal.com/file-scan/rep ... 1289673769

Too many sensitive strings inside to post.
Attachments
pass: malware
(45.78 KiB) Downloaded 71 times

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #3484  by a_d_13
 Sun Nov 14, 2010 10:27 pm
PX5 wrote:http://dnusax.com/ic/ic1.exe

TrojanDropper:Win32/Alureon.V [Microsoft]
File is attached.

Thanks,
--AD
Attachments
Pass: infected
(899.35 KiB) Downloaded 101 times
  • 1
  • 28
  • 29
  • 30
  • 31
  • 32
  • 60
 Return to “Malware”