A forum for reverse engineering, OS internals and malware analysis 

TDSS Qlook

Forum for announcements and questions about tools and software.

TDSS Qlook

 #12483  by Maxstar
 Mon Apr 02, 2012 8:20 am
Together with some colleagues I have made ​​this simple little tool 'TDDS Qlook'.

This tool is designed to provide the helper with an easy method of obtaining information of the quarantined files of TDSSkiller.
There are two options.
  • A Scan
  • B Fix
Option A (Scan)
With this option the tool will produce a log called TDSSQ.txt at the location where TDSS Qlook is started . With this scan it will read the *.ini files in de created quarantine folders of TDSSkiller.

Example LOG:
TDSSKiller Quarantine Information log
Version 1.0.0.0
***** START SCAN Sat 12/31/2011 12:45:49.24 *****

---------- DIR LIST ----------

C:\TDSSKiller_Quarantine\30.12.2011_12.42.12
C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000
C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000
C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\object.ini
C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\object.ini

---------- INI FILES ----------

=== C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\object.ini ===

[InfectedObject]
Verdict: LockedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\object.ini ===

[InfectedObject]
Type: Service
Name: sptd
Type: Kernel driver (0x1)
Start: Boot (0x0)
ImagePath: \SystemRoot\System32\Drivers\sptd.sys
Suspicious states: Locked file;


=== C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\tsk0000.ini ===

[InfectedFile]
Type: Raw image
Src: C:\Windows\System32\Drivers\sptd.sys
md5: f42efefb765235f24b24e1d2b6f99f46


***** END SCAN Sat 12/31/2011 12:45:52.40 *****
- EOF -
The section 'DIR list' will enumerate the contents (files and folders) of each directory in the quarantined folder of TDSSkiller.
The section 'INI files' will show al the information about the quarantined files you have need to restore these files.
TDSSkiller renamed quarantined files as a *.DTA (tsk0000.dta), in the same susp00**\..\ folder with one *.INI (tsk0000.ini) an two (object.ini files). These *.ini files containing the information of each seperate file.

If C:\TDSSKiller_Quarantine is not present it will show the next log.
TDSSKiller Quarantine Information log
Version 1.0.0.0
***** START SCAN Sat 12/31/2011 12:56:28.09 *****

---------- Warning! ----------
TDSSKiller Quarantine folder not found

***** END SCAN Sat 12/31/2011 12:56:28.11 *****
- EOF -

Option B (Fix)
With this option the tool will open a blank Notepad Window, in this Window you can put 'batch scripts'. When you close this window with the filesaving option it will automatically run the insert batch script.

Example1 :
Code: Select all
COPY "C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\tsk0000.dta" C:\Windows\System32\Drivers\sptd.sys
Example2 :
Code: Select all
REN "C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\tsk0000.dta" sptd.sys
COPY "C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\sptd.sys" C:\Windows\System32\Drivers\
Example logs
TDSSKiller Quarantine Information log
Version 1.0.0.0
***** START SCAN za 31-12-2011 13:34:11,11 *****

---------- DIR LIST ----------

C:\TDSSKiller_Quarantine\31.12.2011_13.21.44
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\object.ini
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\object.ini
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0001.dta
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0001.ini

---------- INI FILES ----------

=== C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\object.ini ===

[InfectedObject]
Verdict: Rootkit.Win32.ZAccess.g


=== C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\object.ini ===

[InfectedObject]
Type: Service
Name: vmhgfs
Type: File system driver (0x2)
Start: System (0x1)
ImagePath: System32\DRIVERS\vmhgfs.sys
Suspicious states: Forged file;


=== C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0000.ini ===

[InfectedFile]
Type: Raw image
Src: C:\WINDOWS\system32\DRIVERS\vmhgfs.sys
md5: 7f2beb67c7714f701362cc3abac34d40


=== C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0001.ini ===

[InfectedFile]
Type: Api image
Src: C:\WINDOWS\system32\DRIVERS\vmhgfs.sys
md5: 3b831598ff888319eb49de1800afd6bb


***** END SCAN za 31-12-2011 13:34:14,47 *****
- EOF -
TDSSKiller Quarantine Information log
Version 1.0.0.0
***** START SCAN za 31-12-2011 14:15:01,45 *****

---------- DIR LIST ----------

C:\TDSSKiller_Quarantine\31.12.2011_14.14.21
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\object.ini
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\object.ini
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0000.ini
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0001.dta
C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0001.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\object.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0009.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0009.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0008.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0008.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0007.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0007.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0006.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0005.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0005.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0006.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0004.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0003.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0003.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0004.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0002.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0002.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0001.ini
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0000.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0001.dta
C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0000.ini

---------- INI FILES ----------

=== C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\object.ini ===

[InfectedObject]
Verdict: Rootkit.Win32.ZAccess.g


=== C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\object.ini ===

[InfectedObject]
Type: Service
Name: vmhgfs
Type: File system driver (0x2)
Start: System (0x1)
ImagePath: System32\DRIVERS\vmhgfs.sys
Suspicious states: Forged file;


=== C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0000.ini ===

[InfectedFile]
Type: Raw image
Src: C:\WINDOWS\system32\DRIVERS\vmhgfs.sys
md5: 7f2beb67c7714f701362cc3abac34d40


=== C:\TDSSKiller_Quarantine\31.12.2011_13.21.44\rtkt0000\svc0000\tsk0001.ini ===

[InfectedFile]
Type: Api image
Src: C:\WINDOWS\system32\DRIVERS\vmhgfs.sys
md5: 3b831598ff888319eb49de1800afd6bb


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\object.ini ===

[InfectedObject]
Verdict: TDSS File System
Name: \Device\Harddisk0\DR0


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0000.ini ===

[InfectedFile]
Name: cfg.ini
Size: 556
File time: 2011/09/21 10:06:04.0421


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0001.ini ===

[InfectedFile]
Name: mbr
Size: 512
File time: 2011/09/21 10:06:04.0453


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0002.ini ===

[InfectedFile]
Name: bckfg.tmp
Size: 840
File time: 2011/09/21 10:06:04.0453


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0003.ini ===

[InfectedFile]
Name: cmd.dll
Size: 36864
File time: 2011/09/21 10:06:04.0468


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0004.ini ===

[InfectedFile]
Name: ldr16
Size: 1319
File time: 2011/09/21 10:06:04.0750


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0005.ini ===

[InfectedFile]
Name: ldr32
Size: 3666
File time: 2011/09/21 10:06:04.0765


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0006.ini ===

[InfectedFile]
Name: ldr64
Size: 4192
File time: 2011/09/21 10:06:04.0765


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0007.ini ===

[InfectedFile]
Name: drv64
Size: 24576
File time: 2011/09/21 10:06:04.0796


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0008.ini ===

[InfectedFile]
Name: cmd64.dll
Size: 20992
File time: 2011/09/21 10:06:04.0968


=== C:\TDSSKiller_Quarantine\31.12.2011_14.14.21\tdlfs0000\tsk0009.ini ===

[InfectedFile]
Name: drv32
Size: 36352
File time: 2011/09/21 10:06:05.0109


***** END SCAN za 31-12-2011 14:15:04,64 *****
- EOF -
--------------------------------------------------------------------------------

Re: TDSS Qlook

 #12641  by Quads
 Thu Apr 12, 2012 4:33 am
Nice,

Now just need on that will look up the logs and Q, for NPE and NBRT so when people use those tools and objects get removed and the user says, now I can't ........., can't remember what it took, the info can be retrieved more easily haha

Quads
 Return to “Tools/Software”