A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #1776  by 4everyone
 Thu Aug 05, 2010 2:29 am
Hi All,

I can see in Many forums (Specially in Sysinternals) , where people are posting TDL3 versions like the one Below..
[main]
quote=Listen up, maggots. You are not special. You are not a beautiful or unique snowflake
version=3.20
botid=5219f738-fdcd-4129-9ec1-8135629d824b
affid=20319
subid=0
installdate=1.12.2009 12:23:28
builddate=1.12.2009 14:14:46
[injector]
*=tdlcmd.dll
Even in Kernelmode.info, i can see many posting the similar results as the above..

Questions : I got the dropper files of TDL3, can i view its Version ?? Is there any specific tools for that ??

It would be great if someone can share the info on "how to get Version Details of TDL3" .
 #2208  by tolbert
 Mon Aug 23, 2010 12:51 pm
Hello smart people,

These days I started to analyze the TDL3 rootkit. I don't have very good experience with such complex infections and I am pretty much struggling at the moment. However I am learning fast and I think that I am getting closer. This forum has helped me a lot and I would like to ask you guys for some basic guidance.

If anyone here is interested and willing to spend some time, I would like to ask for the basic procedure to access the information contained in the TDL3 configuration file. I do not think that someone will have the patience to provide really detailed guide and that is why I just like to ask for the basic steps... Something like:

1. Do this.
2. Do this.
............
X. Success

This is it I guess. In case you do not want to post this info on the forum, please feel free to PM me or to send an e-mail to "headsman@abv.bg".

Thanks :)
 #2210  by tolbert
 Mon Aug 23, 2010 2:05 pm
EP_X0FF wrote:How about this tutorial?

http://www.kernelmode.info/forum/viewto ... p=248#p248
Thanks. I am currently trying to understand and follow the instructions from this movie. However the description was not very clear and I thought that this method does not grant "access" to the configuration file. It seems that I was wrong. I will keep on trying :)

Btw "EP_X0FF", gratz for the 666 posts :D

Thanks