A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #660  by EP_X0FF
 Mon Apr 12, 2010 12:34 am
Hello,

Perhaps this can shred some light on this mysterious file (it is now even PE file)
http://answers.google.com/answers/threa ... 79159.html
darseq wrote:I still have a question. Exactly what does tdl3 do once infected? How bad has my system been
compromised? Should I be changing all my passwords?
Your system is part of huge botnet. Actually TDL working like backdoor, downloader and DNS changer.
It is storing all downloaded files inside its own encrypted file system, so you can't find these files with usual tools.
TDL downloaded content varies. It can download additional 3rd party malware. This malware can download another malware and so on.
I recommend you after system cleanup change all your passwords.

Regards.
 #667  by wealllbe20
 Mon Apr 12, 2010 2:09 pm
InsaneKaos wrote:That's interesting, because when I change the Registrykey, after a reboot it is changed back. My changes are discarded.
What sample of tdl3 are you using?
 #669  by InsaneKaos
 Mon Apr 12, 2010 3:03 pm
wealllbe20 wrote:What sample of tdl3 are you using?
This one, that I've posted.

I've tested this sample very often, 15 times or more. At one test Gmer didn't spotted the infected driver. Gmer only picked up that the atapi.sys were modified and didn't found the infected dmio.sys.
 #685  by STRELiTZIA
 Tue Apr 13, 2010 4:53 pm
Hi,
Updated for fun :)
TDL3+ Cleaner 1.1
Tested on Windows Xp Sp2 and Sp3
Working with "Copy/Restore" exploit...

Edit:
Deleted attachement cause Bug.
Last edited by STRELiTZIA on Wed Apr 14, 2010 5:19 pm, edited 1 time in total.
 #687  by NeonFx
 Tue Apr 13, 2010 9:26 pm
I've heard that the new guy will remove all services from restore point backups leaving you with a registry without services after a system restore. Is there any truth to this?

Another odd symptom reported was it preventing users from posting longer replies in online forums. Short replies would go through without a problem.
 #688  by NeonFx
 Tue Apr 13, 2010 11:43 pm
It's possible Hitman Pro is capable of removing this version. See this user being helped here w/ serial.sys & atapi.sys showing up in GMER:

http://www.geekstogo.com/forum/Google-R ... 73754.html

Here's a link to their intro to TDL3 page and a link to their tool at the bottom of the page:

http://www.surfright.nl/en/home/press/t ... s-programs
 #696  by IndiGenus
 Wed Apr 14, 2010 3:10 am
InsaneKaos wrote:Hitman Pro needs a license for removal. It doesn't found the infected driver on my VM.
You can activate it for 30 days without purchasing a license. Unfortunately, it did not work on this new variant against 3 different "drops" on my VM.

The 3 drivers found by GMER were:
C:\WINDOWS\system32\drivers\intelide.sys
C:\WINDOWS\system32\DRIVERS\i8042prt.sys
C:\WINDOWS\system32\DRIVERS\tcpip.sys

Hitman Pro version 3.5.4 - build 92 did not find or remove any of them.
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 40