A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2819  by EP_X0FF
 Tue Sep 21, 2010 12:48 am
Well, I see no problems with this version.
They added back loading "easter egg" btw :)

"Put your signature here" from drvXX.
And as previous it still renders my test machine with XP to unbootable state after infection.
 #2820  by sww
 Tue Sep 21, 2010 6:06 am
EP_X0FF wrote: They added back loading "easter egg" btw :)
What do you mean? :)

Does they fix BCD patching?
 #2822  by sww
 Tue Sep 21, 2010 7:37 am
EP_X0FF wrote:Look at debug output while rootkit installation :)
.004013EC: 57 push edi
.004013ED: 6828354000 push 000403528 ;'Put your signature here' --↓1
.004013F2: E8A5000000 call DbgPrint --↓2
.004013F7: 8B7C240C mov edi,[esp][00C]
.004013FB: 59 pop ecx
.004013FC: FF74240C push d,[esp][00C]
.00401400: E8D7FEFFFF call .0004012DC --↑3

:D
 #2825  by xfoo()
 Tue Sep 21, 2010 3:52 pm
i have different dropper for tdl4 version 0.03,
sorry, i'm not allowed to share the sample :(, so don't ask
but
md5 dc0e3455fc6930a66d754ee5b8d69e5e
sha1 9225564776d880f96ae30c0a7d7a6ffff09e96a4

cfg.ini is similar
Code: Select all
[main]
version=0.03
aid=36000
sid=777
builddate=4096
rnd=1292428093
[inject]
*=cmd.dll
[cmd]
srv=https://hdchicken.com/;https://flyhdkosa.com/;https://hdchjcken.com/;https://fluhdkoza.com/;https://204.45.120.18/
wsrv=http://lk01ha71gg1.cc/;http://zl091kha644.com/;http://a74232357.cn/;http://a76956922.cn/;http://91jjak4555j.com/
psrv=http://cri71ki813ck.com/
version=0.14
and this is what i was talking about zeros globalroot
Code: Select all
seg000:000001D6 8D 7E 10                                lea     edi, a?GlobalrootDev[esi] ; "\\\\?\\globalroot\\device\\00000626\\767e8684"...
seg000:000001D9 32 C0                                   xor     al, al
seg000:000001DB B9 04 01 00 00                          mov     ecx, 104h
seg000:000001E0 F3 AA                                   rep stosb               ; zeros the globalroot
 #2827  by Jaxryley
 Tue Sep 21, 2010 11:28 pm
For testings.
setup.exe - 2/ 43 - Sunbelt - Packed.Win32.Tdss.ae (v) - MD5 : a299bd50f1e7433aa2d06e5f3cb78009
http://www.virustotal.com/file-scan/rep ... 1285111198

Dropped 9317e3aAA.dll - 1/43 - Sunbelt - Packed.Win32.Tdss.ae (v) - MD5 : 4564dfb47b8306a78b7299552886ac4b
http://www.virustotal.com/file-scan/rep ... 1285111203
(216.34 KiB) Downloaded 83 times
Last edited by Jaxryley on Tue Sep 21, 2010 11:50 pm, edited 1 time in total.
 #2832  by erikloman
 Wed Sep 22, 2010 6:01 am
Jaxryley wrote:For testings.
setup.exe - 2/ 43 - Sunbelt - Packed.Win32.Tdss.ae (v) - MD5 : a299bd50f1e7433aa2d06e5f3cb78009
http://www.virustotal.com/file-scan/rep ... 1285111198

Dropped 9317e3aAA.dll - 1/43 - Sunbelt - Packed.Win32.Tdss.ae (v) - MD5 : 4564dfb47b8306a78b7299552886ac4b
http://www.virustotal.com/file-scan/rep ... 1285111203
The attachment setup and dll.rar is no longer available
I think this is an old TDL3 as it is infecting a random system driver as was the case in April 2010.
Hitman Pro also detected the changed unsafe DNS settings (set by TDL3) and the dropped print spool DLL (which is randomly named).
HitmanPro35.PNG
HitmanPro35.PNG (52.52 KiB) Viewed 521 times
  • 1
  • 22
  • 23
  • 24
  • 25
  • 26
  • 60