[EP_X0FF]

Mister Kleissner posts removed because he silently edited them to be unacceptable at this board. This behavior violates forum rules

Please don't use inappropriate language on the forums.

and additionally posts contains personal attack on other forum member.

User gets first and the last warning. Second violation and he will be banned.

[__Genius__]

TDL3/TDSS/Alureon 64-bit rootkit domains (from MDL) :
Blog posts on the matter:

Code: Select all

http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html
http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html
http://blogs.technet.com/b/mmpc/archive/2010/08/27/alureon-evolves-to-64-bit.aspx

Domains:

Code: Select all

hxxp://mahjongmuseum.com/.oieq/?getexe=dg.exe  (Virustotal Link)

Also worth investigating:

Code: Select all

hxxps://68b6b6b6.com/
hxxps://61.61.20.132/
hxxps://34jh7alm94.asia
hxxps://61.61.20.135/
hxxps://nyewrika.in/
hxxps://rukkieanno.in/
hxxp://rudolfdisney.com/
hxxp://crozybanner.com/
hxxp://imagemonstar.com/
hxxp://funimgpixson.com/
hxxp://bunnylandisney.com/
hxxp://cri71ki813ck.com/
hxxp://lkckclckl1i1i.com/

[EP_X0FF]

TDL3/TDSS/Alureon 64-bit rootkit domains (from MDL) :
Blog posts on the matter:

Code: Select all

http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html
http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html
http://blogs.technet.com/b/mmpc/archive/2010/08/27/alureon-evolves-to-64-bit.aspx

This was posted here, a little bit earlier. :)

hxxp://mahjongmuseum.com/.oieq/?getexe=dg.exe

This is classical TDL3+

[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
botid=74f8e63e-5915-4beb-a4e7-44bba20d02e1
affid=20787
subid=0
installdate=30.8.2010 4:48:47
builddate=27.8.2010 6:0:4
rnd=746137067
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941

[EP_X0FF]

Unfortunately mister Peter Kleissner aka Stoned banned for 1 day because of:

- insulting and attacking other members (all his messages collected and ready for publication).
- changing profile info to insult and attack other members
- breaking forum rules (part 7).

He has one day to think about his childish behavior. If he does not change anything, well it's not a big loss, because he provided 0.00% of useful content here and we remember him only like guy who "want a sample" and likes to "****" (probably with himself), and known how to press F5 in IDA Pro.

[rkhunter]

I'm surprised that the drivers x32 and x64 is not from one code base, to simplify porting rootkit on x32 and x64. It will be necessary to carefully analyze in IDA. Thank's for samples.

[gjf]

Unfortunately mister Peter Kleissner aka Stoned banned for 1 day because of:

- insulting and attacking other members (all his messages collected and ready for publication).
- changing profile info to insult and attack other members
- breaking forum rules (part 7).

He has one day to think about his childish behavior. If he does not change anything, well it's not a big loss, because he provided 0.00% of useful content here and we remember him only like guy who "want a sample" and likes to "****" (probably with himself), and known how to press F5 in IDA Pro.

It looks somehow strange because Peter Kleissner is famous author of Stoned Bootkit and well-known specialist in bootkit infection. I never thought that to press F5 in IDA Pro is quite enough to make Stoned and to become under criminal litigation with three antivirus companies. :shock:

I belive such person would help to clarify situation with new TDL4 and it is very strange to see the battle between him and you, EP_X0FF.

The only reason is that "Stoned" is not real Peter Kleissner, but I'm sure you are qualified enough to reveal amateur fake.

[EP_X0FF]

Yes I'm surprised also. This is offtopic but if you wish I can send you all his wonderful messages and give you more opinions about this person privately via PM. There is no battle, between me or him, this is just unacceptable childish behavior of this so-called "expert".

[wealllbe20]

Any info on whether motherboards with virus warnings enabled prevent/detect this?

[erikloman]

Hitman Pro 3.5.6 build 112 BETA

• Added removal of TDL3 64-bit rootkit

Download: http://dl.surfright.nl/HitmanPro35beta_x64.exe

[gjf]

Hitman Pro 3.5.6 build 112 BETA

• Added removal of TDL3 64-bit rootkit

Download: http://dl.surfright.nl/HitmanPro35beta_x64.exe

I never believe they could obtain signed antirootkit driver necessary for removal in such a quick way.