A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6620  by Fabian Wosar
 Wed Jun 01, 2011 11:16 pm
I just went through our submits and found a sample we got submitted yesterday. While the Kaspersky detection name doesn't match the general behavior is the same (scanning the sub net for free addresses, downloading TDL-4 as a payload, original file name was update.exe) so I assume this is a variant of the malware the blog post is talking about.

Detection of the downloader:

http://www.virustotal.com/file-scan/rep ... 1306968878

The detection of downloaded TDL-4 dropper (downloaded from http://94.60.123.34/service/scripts/files/aff_50045.dll):

http://www.virustotal.com/file-scan/rep ... 1306969204

Both the dropper as well as the downloader are included in the attachment.
Attachments
infected
(152.12 KiB) Downloaded 101 times
 #6633  by PX5
 Thu Jun 02, 2011 10:25 am
Why so interesting, Vobfus started calling in TDL4 as part of its payload and working mechanism back in early march of 2010.

Why this author talk like no other network worm ever called in TDL4 before?

Or is it just too early and I have not had enough coffee?
 #6714  by EP_X0FF
 Tue Jun 07, 2011 12:00 pm
markusg wrote:dll.exe
http://www.virustotal.com/file-scan/rep ... 1307444423
[main]
version=0.03
aid=30041
sid=0
builddate=351
rnd=1960408961
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.175
nothing new.
Attachments
pass: malware
(76.35 KiB) Downloaded 65 times
  • 1
  • 45
  • 46
  • 47
  • 48
  • 49
  • 60