A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1131  by obse
 Wed May 19, 2010 3:20 pm
EP_X0FF wrote:It can't detect/remove TDL3. Actually all what it was able to detect - mapped tdlcmd.dll as BackDoor.Tdss.565
yea you right, this version of rootkit contain a pieces of code exactly against drweb solution ;)
not so fast, it took almost a month (in beta) for authors to fix it :mrgreen:
 #1139  by PX5
 Fri May 21, 2010 12:40 am
Damit Man!

Seems I lied, was a wasted 30MB download and I really need to learn how to use RKU better, wasnt able to locate it via stealth scan like previous.

Sounds like I need to take that vacation from support work for a while. :lol:
 #1209  by Meriadoc
 Tue Jun 01, 2010 1:35 pm
...back

catching up on tdl3 and other stuff until I go off again (because of illness :roll: )

lol @ bruce lee
 #1216  by gjf
 Tue Jun 01, 2010 8:02 pm
erikloman wrote:
EP_X0FF wrote:There seems to be some steatlh TDL3 update we missed :D
Any-1 has a dropper to share?
hjwbxhqr.cn/21/download.php?expid=4&fid=1
dynvolume.com/get.php?id=2
arashckevitchk.com/el1/load.php?spl=mdac&h=
arashckevitchk.com/el1/load/load.exe
hxtp://www.russianmomds.ru/dogma.exe

One of them possibly is what are you looking for ;)
Last edited by a_d_13 on Tue Jun 01, 2010 8:27 pm, edited 1 time in total. Reason: Disabled URL
 #1220  by notkov
 Wed Jun 02, 2010 12:37 pm
From the sample above, dogma.exe
[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.273
botid=55045ff5-72b5-4a95-8c6b-5e958b314602
affid=20743
subid=0
installdate=2.6.2010 11:7:48
builddate=1.6.2010 22:22:23
rnd=448539723
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://li1i16b0.com/;https://19js81030 ... n4cx00.cc/
wspservers=http://7gafd33ja90a.com/;http://n1mo661 ... 3kjf7.com/
popupservers=http
version=3.82
 #1221  by a_d_13
 Wed Jun 02, 2010 12:53 pm
"dogma.exe" is attached. There is also funny quotes inside:
.rdata:00403130 String db 'Indestructible.',0Ah ; DATA XREF: start+5F1
.rdata:00403130 db 'Determination that is incorruptible.',0Ah
.rdata:00403130 db 'From the other side.',0Ah
.rdata:00403130 db 'A terror to behold.',0Ah,0
.rdata:0040318F align 10h
.rdata:00403190 aKasperskyAvSux db 'Kaspersky AV Suxx :) and so others are',0
Thanks,
--AD
Attachments
Pass: "malware"
(82.38 KiB) Downloaded 73 times
  • 1
  • 15
  • 16
  • 17
  • 18
  • 19
  • 40