[Jaxryley]

The microjoin exploit below drops heaps of other exploits of which I can harvest all except one.

At each run of the exploit it drops a random named .sys file at 768 kb.

Can't seem to do anything with that .sys file in that it won't upload to VT or move it anywhere.

Kaspersky TDSSKiller picks it up as suspicious and can delete it at reboot but can anyone show me how I can grab it and archive away?

The microjoin exploit will drop an exe killing rogue "Security suite" as well so it's best to have Task Manager up before executing the exploit.

g3d9fe.rar

Pass:
infected
(2.47 MiB) Downloaded 78 times

[EP_X0FF]

Hello,

well from what I see now:

a lot of trojans loaded and working, and TDL3 also installed from this pack.

not sure about this locked driver. Did you tried to copy it with rku -> wipe/copy file feature? Or by WinHex?

tdl stuff

She would come over and slip into the water

Everything was new, and everything was fun

[main]
version=3.273
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
botid=74f8e63e-5915-4beb-a4e7-44bba20d02e1
affid=20034
subid=0
installdate=18.8.2010 5:24:3
builddate=11.8.2010 9:55:11
rnd=1292428093
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941

dropped trojans, pass: malware

[Jaxryley]

Hello,
not sure about this locked driver. Did you tried to copy it with rku -> wipe/copy file feature? Or by WinHex?

No but I will give a go, thanks EP_X0FF.

[EP_X0FF]

I just did a full cleanup of this malware pack with rku+explorer+autoruns+internal remover for tdl3.

edit: around 30 items removed/cured (files, infected driver, registry entries).

[Jaxryley]

I just did a full cleanup of this malware pack with rku+explorer+autoruns+internal remover for tdl3.

edit: around 30 items removed/cured (files, infected driver, registry entries).

Yes these microjoin exploits are my favourites. LOL :twisted:

Malwarebytes Antimalware does a good job in zapping these types and their droppers with a need to rename mbam.exe to firefox.exe in order for it to start if the exe killer rogue is active.

[PX5]

Something sound familiar. ;)

http://www.virustotal.com/file-scan/rep ... 1282112790

[Jaxryley]

Something sound familiar. ;)

http://www.virustotal.com/file-scan/rep ... 1282112790

Grabbed it thanks PX5.

[PX5]

//ceberd.com/wev/bushzany.php
//ceberd.com/wev/files/backoffmove.pdf
//ceberd.com/wev/files/kissassupbeat.jar
//ceberd.com/wev/files/nitwitinshakysituation.jar
//ceberd.com/wev/foolwrite.php
//ceberd.com/wev/js/smallitdoestwash.js
//ceberd.com/wev/mothersdarlingcross.php?ids=MDAC
//ceberd.com/wev/pissantcolor.php?unique=1
//ceberd.com/wev/yettiownssomelilz.php?e=3&n=0

;)

After this runs it course, the clusterfuck comes, which is where your root is loaded at, usually iframedollars load.

[Jaxryley]

You may want to have a look at the morphed microjoin exploit from:

hxxp://ceberd.com/wev/mothersdarlingcross.php?ids=MDAC

Which seems to be dropping two rogue AV's and a few new droppers ATM?

g640ab.exe - 14/ 42 (33.3%) - MD5 : b8074494580e8275dad6d2f83535699b
http://www.virustotal.com/file-scan/rep ... 1282209028

g640ab.rar

(3.3 MiB) Downloaded 53 times

[CloneRanger]

dropped trojans

malware.rar (2.3 MiB)

Downloaded 344 times

WOW ! Is this a record or ?