A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3517  by EP_X0FF
 Tue Nov 16, 2010 4:48 pm
@Blur

As in fact this is not Franks article.
Lets give kids in SB a try.
 #3520  by STRELiTZIA
 Tue Nov 16, 2010 5:45 pm
Hi, just 4 fun...
TDL3.0 old with two injectors: tdlwsp.dll and tdlcmd.dll for your collection ;)
[main]
version=3.0
botid=f8eae8b1-c356-4f04-a4e4-780e866e8ff2
affid=10064
subid=0
installdate=15.11.2010 11:51:37
[injector]
svchost.exe=tdlcmd.dll
*=tdlwsp.dll
[tdlcmd]
servers=https://h3456345.cn/;https://h9237634.c ... 7.174.173/
TDL path evolution:
ASCII "\\?\globalroot\Device\Ide\IdePort1\stbdvbvp\stbdvbvp\tdlwsp.dll" -->> TDL3.0
ASCII "\\?\globalroot\dpqnbsft\ioyxvpji\tdlcmd.dll" -->> TDL3.273
ASCII "\\?\globalroot\device\00000219\5d3885c0\cmd.dll" -->> TDL4.03
Attachments
Archive password: malware
(229.75 KiB) Downloaded 81 times
 #3540  by Meriadoc
 Wed Nov 17, 2010 12:36 pm
markusg wrote:http://www.file-upload.net/download-297 ... 3.rar.html

http://www.virustotal.com/file-scan/rep ... 1289932860
Patches System files and drops a whole lot of crap.

Rootkit
http://www.virustotal.com/file-scan/rep ... 1288024474

Hidden Service foezbhyuo
... registry, kernel level driver foezbhyuo value "1" foezbhyuo also has order of HKLM\SYSTEM\ControlSet\Services\foezbhyuo "Group"="Boot Bus Extender"
foezbhyuo.sys
NDIS.sys both read access so can be difficult.

trash : https://rapidshare.com/files/431425449/trash.rar
pass=malware

LoL,
Image
 #3549  by Meriadoc
 Wed Nov 17, 2010 11:05 pm
markusg's sample works better with .NET Framework.

So much to have a look at, of course nondescript file names change.
 #3566  by STRELiTZIA
 Thu Nov 18, 2010 7:30 pm
PX5 wrote:http://www.virustotal.com/file-scan/rep ... 1290107388
Hi,
[main]
version=0.03
aid=30002
sid=0
builddate=4096
rnd=1336601894
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://rukkeianno.com/;https://kangoji ... 6b6b6.com/
wsrv=http://skolewcho.com/;http://jikdooyt0. ... yjuke.com/
psrv=http://cri71ki813ck.com/
version=0.15
TDL4.03 Files attached.

Regards.
Attachments
Archive password: malware
(71.2 KiB) Downloaded 80 times
  • 1
  • 29
  • 30
  • 31
  • 32
  • 33
  • 60