[EP_X0FF]

dll.exe
MD5   : 9ce020a0719921748b41fa76df876283
https://www.virustotal.com/file-scan/re ... 1317137762

file.exe
https://www.virustotal.com/file-scan/re ... 1317137394
MD5   : 909e35b8b43949dc008f6f88e93cbcf0

file.exe

[main]
version=0.03
aid=30227
sid=0
builddate=351
installdate=28.9.2011 8:39:38
rnd=2728766874
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.31

dll.exe

[main]
version=0.03
aid=30041
sid=0
builddate=351
installdate=28.9.2011 8:42:46
rnd=2326177136
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.31

All extracted data from both in attach.

[rough_spear]

Hi,
I m back with TDL4/TDSS. :mrgreen:
Dropper as well as dropped files are posted.

web link - hxxp://nitroz66.fileave.com/02set.exe

VT link - http://www.virustotal.com/file-scan/rep ... 1317276329

File size - 173 KB.

MD5 : 244175144a37d7ff3ad725b1d28f98b0
SHA1 : 494d17f7cc17e57dd645d5787744c37324c16e41
SHA256: cd3a72225a59fc9ea4e705aacfa7776cd623039dac13b4e32e27e7e49c2568c4
ssdeep: 3072:9fncREqbTUz2dUf+ANytOdqum+7vVI7ppgY7gY77RZLS:9ftqbT3YzScqj7pD7Dj2

config.ini-

Code: Select all

[main]
version=0.03
aid=30044
sid=0
builddate=351
installdate=29.9.2011 17:1:32
rnd=791871199
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://lo4undreyk.com/;https://sh01cilewk.com/;https://cap01tchaa.com/;https://kur1k0nona.com/;https://u101mnay2k.com/
wsrv=http://gnarenyawr.com/;http://rinderwayr.com/;http://jukdoout0.com/;http://swltcho0.com/;http://ranmjyuke.com/
psrv=http://crj71ki813ck.com/
version=0.31

Regards,

rough_spear. ;)

[rough_spear]

Hi,
Interesting news.. TDL4 downloaded the plugin and modified the cfg.ini file. :D

File downloaded is - kwrd.dll
File Size - 204 KB.
VT Link - http://www.virustotal.com/file-scan/rep ... 1317320303

MD5 : 8ea57e8b69f25aed867066ee413d77ca
SHA1 : f7ecceb9b8b36d91660c387176b0be1242fe69d6
SHA256: 385411db62796f6df02a95c10e6f85d8a21567bd2592709bc44c020d4478bbe4
ssdeep: 6144:qJVRAjyPbvmR0cL+o8kMiX9lHkC5+F83oS:IRKR0cyomitlE9F83oS

Code: Select all

[main]
version=0.03
aid=30044
sid=0
builddate=351
installdate=29.9.2011 17:1:32
rnd=791871199
knt=1317315984
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://lo4undreyk.com/;https://sh01cilewk.com/;https://cap01tchaa.com/;https://kur1k0nona.com/;https://u101mnay2k.com/
wsrv=http://gnarenyawr.com/;http://rinderwayr.com/;http://jukdoout0.com/;http://swltcho0.com/;http://ranmjyuke.com/
psrv=http://crj71ki813ck.com/
version=0.31
bsh=d8d6128f84bfff8f4d9b16f8fd65c3e27a6fa06d
dlc_srand=103
ns_conf=0
delay=7200
ssl=http://revalati0n-startup.com:8344/
[tasks]

Regards,

rough_spear.

[EP_X0FF]

kwrd.dll is part of BitCoinMiner, this dll is now hardcoded inside tdlcmd so no surprise to see it.
here is it after removing av confusing UPX http://www.virustotal.com/file-scan/rep ... 1317366896

And I suggest you to use [ code ] [ /code ] or [ quote ] [ /quote ] tags next time to make your posts readable.

[SUPERIOR]

Code: Select all

http://www.heise.de/security/artikel/Tatort-Internet-Operation-am-offenen-Herzen-1338967.html

i found it interesting article though its german

PS : sorry found the english version

Code: Select all

http://www.h-online.com/security/features/CSI-Internet-Open-heart-surgery-1350313.html

[EP_X0FF]

Posts about PRAGMA MaxSS TDL4 modification moved to dedicated thread

[Julian]

Every new sample I tried didn't work for me on Win 7 x64 with MS Patch in VirtualBox.
Is there a sample that surely does the job?

[EP_X0FF]

Every new sample I tried didn't work for me on Win 7 x64 with MS Patch in VirtualBox.
Is there a sample that surely does the job?

Try different VM, or real machine. It work.

[Julian]

IDK what exactly does not working for Julian but it isn't antivm or something, because I've some of these posted samples in my vm repository. It is known that updated TDL4 may cause KB2506014 patched system unbootable.

Dropper tries to infect MBR but doesn't succeed (thanks to MS patch) and so infection attempts run in a queue.
System remains bootable.
Will try VMware later.

[markvirussearch]

Can someone post a dump of a MBR infected by TDL4?

btw just to check: I have been reading them on the infected machines that I see off of a ubuntu live cd with:

Code: Select all

sudo dd if=/dev/sda of=mbr.bin bs=512 count=1
file mbr.bin >> mbr.txt

(then I look at the .txt file in gedit)
does that work fine or am I missing something?