A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2873  by Alex
 Sun Sep 26, 2010 5:42 pm
@LeastPrivilege

If you are talking about this dropper - "setup.exe - 7/43 - Sunbelt - Packed.Win32.Tdss.ae (v) - MD5 : 8d73a4cd281f178ac7896d54d7923728"
it is a classical TDL3 and it works well under VMWare with XP SP2:
[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
installdate=1285522457
[injector]
*=tdlcmd.dll
 #2880  by Jaxryley
 Mon Sep 27, 2010 4:34 am
Samples:

dllhost.exe - 9/43 - Sunbelt - Trojan.Win32.Alureon.Ch (v) - MD5 : a13d699c807aa3bff5a111dd4c65965e
http://www.virustotal.com/file-scan/rep ... 1285561037

AppleMobileDeviceHelper.exe - 8/43 - DrWeb - BackDoor.Tdss.4246 - MD5 : cf93e3244f0a693be28ac4e240c07885
http://www.virustotal.com/file-scan/rep ... 1285561678
(172.62 KiB) Downloaded 87 times
 #3007  by nullptr
 Mon Oct 11, 2010 11:37 am
SHA1 : 8a0021c7f8d68afa9b058ef502a00aaf7227cbb7 dg.exe
Some newish servers but otherwise stagnant.
[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
botid=
affid=
subid=
installdate=11.10.2010 11:29:54
builddate=11.10.2010 11:0:2
rnd=1993962763
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://nichtadden.in/;https://li1i16b0 ... i16b0.com/
wspservers=http://clikcpixelabn.com/;http://thinks ... tator.com/
popupservers=http://clkh71yhks66.com/
version=3.97
 #3010  by PX5
 Tue Oct 12, 2010 9:04 am
That one looks like Koob Droppings....
Code: Select all
http://rentsatoday.com/.flyx4m/?action=fbgen&v=135&crc=669
http://rentsatoday.com/.flyx4m/?action=fbgen&mode=s&age=2&a=13441600&v=135&fblogin=0&defbrowser=ie&ie=6.0.2900.2180
http://rentsatoday.com/.flyx4m/?getexe=ff2ie.exe
http://rentsatoday.com/.flyx4m/?getexe=udh.exe
http://rentsatoday.com/.flyx4m/?getexe=dg.exe
http://rentsatoday.com/.flyx4m/?getexe=m24.in.exe
 #3011  by PX5
 Tue Oct 12, 2010 9:06 am
These however, look much more tdl3+/tdl4

AhnLab-V3 2010.10.12.00 2010.10.11 -
AntiVir 7.10.12.184 2010.10.11 BOO/Alureon.A
Antiy-AVL 2.0.3.7 2010.10.11 -
Authentium 5.2.0.5 2010.10.11 -
Avast 4.8.1351.0 2010.10.11 -
Avast5 5.0.594.0 2010.10.11 -
AVG 9.0.0.851 2010.10.11 -
BitDefender 7.2 2010.10.11 Rootkit.Tdss.AW
CAT-QuickHeal 11.00 2010.10.11 -
ClamAV 0.96.2.0-git 2010.10.11 -
Comodo 6356 2010.10.11 -
DrWeb 5.0.2.03300 2010.10.11 BackDoor.Tdss.4005
eSafe 7.0.17.0 2010.10.11 -
eTrust-Vet 36.1.7905 2010.10.11 -
F-Prot 4.6.2.117 2010.10.11 -
F-Secure 9.0.15370.0 2010.10.11 Rootkit.Tdss.AW
Fortinet 4.2.249.0 2010.10.11 -
GData 21 2010.10.11 Rootkit.Tdss.AW
Ikarus T3.1.1.90.0 2010.10.11 Rootkit.Win32.TDSS
Jiangmin 13.0.900 2010.10.11 -
K7AntiVirus 9.65.2724 2010.10.11 -
McAfee 5.400.0.1158 2010.10.11 -
McAfee-GW-Edition 2010.1C 2010.10.11 -
Microsoft 1.6201 2010.10.11 Trojan:DOS/Alureon.A
NOD32 5521 2010.10.11 -
Norman 6.06.07 2010.10.11 -
nProtect 2010-10-11.01 2010.10.11 -
Panda 10.0.2.7 2010.10.11 -
PCTools 7.0.3.5 2010.10.11 -
Prevx 3.0 2010.10.11 -
Rising 22.69.00.01 2010.10.11 -
Sophos 4.58.0 2010.10.11 Troj/TdlMbr-A
Sunbelt 7038 2010.10.11 Trojan.Boot.Alureon.a (v)
SUPERAntiSpyware 4.40.0.1006 2010.10.11 -
Symantec 20101.2.0.161 2010.10.11 -
TheHacker 6.7.0.1.054 2010.10.10 -
TrendMicro 9.120.0.1004 2010.10.11 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.11 -
ViRobot 2010.10.4.4074 2010.10.11 -
VirusBuster 12.67.13.0 2010.10.11 -


AhnLab-V3 2010.10.11.00 2010.10.11 -
AntiVir 7.10.12.184 2010.10.11 -
Antiy-AVL 2.0.3.7 2010.10.11 -
Authentium 5.2.0.5 2010.10.11 -
Avast 4.8.1351.0 2010.10.11 -
Avast5 5.0.594.0 2010.10.11 -
AVG 9.0.0.851 2010.10.11 BackDoor.Generic13.HTM
BitDefender 7.2 2010.10.11 -
CAT-QuickHeal 11.00 2010.10.11 -
ClamAV 0.96.2.0-git 2010.10.11 -
Comodo 6353 2010.10.11 -
DrWeb 5.0.2.03300 2010.10.11 -
Emsisoft 5.0.0.50 2010.10.11 -
eSafe 7.0.17.0 2010.10.11 -
eTrust-Vet 36.1.7904 2010.10.11 -
F-Prot 4.6.2.117 2010.10.11 -
F-Secure 9.0.15370.0 2010.10.11 -
Fortinet 4.2.249.0 2010.10.11 -
GData 21 2010.10.11 -
Ikarus T3.1.1.90.0 2010.10.11 -
Jiangmin 13.0.900 2010.10.11 -
K7AntiVirus 9.65.2724 2010.10.11 -
Kaspersky 7.0.0.125 2010.10.11 Rootkit.Win32.Agent.bjqb
McAfee 5.400.0.1158 2010.10.11 -
McAfee-GW-Edition 2010.1C 2010.10.11 -
Microsoft 1.6201 2010.10.11 -
NOD32 5521 2010.10.11 a variant of Win32/Rootkit.Agent.NTT
Norman 6.06.07 2010.10.11 -
nProtect 2010-10-11.01 2010.10.11 -
Panda 10.0.2.7 2010.10.11 Trj/Sinowal.XFN
PCTools 7.0.3.5 2010.10.11 -
Prevx 3.0 2010.10.11 -
Rising 22.69.00.01 2010.10.11 -
Sophos 4.58.0 2010.10.11 -
Sunbelt 7037 2010.10.11 -
SUPERAntiSpyware 4.40.0.1006 2010.10.11 -
Symantec 20101.2.0.161 2010.10.11 -
TheHacker 6.7.0.1.054 2010.10.10 Trojan/Agent.ntt
TrendMicro 9.120.0.1004 2010.10.11 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.11 -
VBA32 3.12.14.1 2010.10.11 -
ViRobot 2010.10.4.4074 2010.10.11 -
VirusBuster 12.67.13.0 2010.10.11 -
 #3027  by Julian
 Wed Oct 13, 2010 1:29 pm
PX5 wrote:These however, look much more tdl3+/tdl4
Yep, I tried one with SHA1 hash e3f9d41825ca05b96dcab8491256faffe2c2aae2 (dg.exe).
It works on Windows x64.
So, this means this malware is still under active developement for Windows x64 (not dead)?

If you block spoolsv.exe to install its drivers on x32 TDSS also wants to have direct disk access (MBR) on this OS as well. Is this new?
Then it shuts down Windows. Can anybody explain how it's doing this? The VM just closes rapidly and OSSS HIPS can't detect any attempt to shutdown Windows or to log off the user.
I dunno if it tries to install a bootkit or just to mess up the MBR, at least Windows doesn't boot anymore after spoolsv.exe had direct sector access.
 #3073  by Jaxryley
 Fri Oct 15, 2010 11:54 am
Code: Select all
http://christmasornies.com/.geaus/?getexe=ff2ie.exe
http://christmasornies.com/.geaus/?getexe=udh.exe
http://christmasornies.com/.geaus/?getexe=dg.exe
http://christmasornies.com/.geaus/?getexe=m24.in.exe
dg.exe - 11/42 - Avast - Win32:Alureon-JG - MD5 : 02a599b0cb382c0e9f1a5659dae84d55
http://www.virustotal.com/file-scan/rep ... 1287143146
(513.92 KiB) Downloaded 95 times
  • 1
  • 24
  • 25
  • 26
  • 27
  • 28
  • 60