KernelMode.info

Buster_BSA wrote:You can get it from: http://hotfile.com/dl/119929569/86e5b8a ... I.RAR.html

According to MD5 it differs from the previous version. Could you please explain what you have imlemented?

I have. So-so. Maybe in future they will implement some serious features, but now I didn't like it.
You can check out official forum (English part) and see all weak places.

Here is that infector.

No. But I believe someone will post it in near days.

Looks like TDL4 obtains new infector mechanism. Unfortunately the article is in Russian.

Yup, it was caused by 5 Mb restriction on the forum. I have editted my previous message with a link.

Mr.Bojangles б as for me I use sbiextra in cooperation with BSA just to improve hiding. But you are right - the hiding is pretty poor. For instance from the latest samples - here it is (password is virus). It is Xorist malware, it encrypts user's files and asks a donation for decryptor. It has quit...

gjf , I ran the sample and only see traffic from the 64.12.96.129 address (both inbound and outbound), as I would expect. Also, I am basing my conclusion on Buster on the fact that if you use PCAP to monitor network traffic, you do not get a process associated with the traffic (look up the manual f...

BTW - why don't you download my sample and test it by yourself? If the behaviour will differ we can discuss the situation in more detailed manner.

r2nwcnydc, according to logs and BSA manual tcp traffic is well recognized among the processes. So the above mentioned inbound traffic is caused by malware, not update process. And if update is causing inbound traffic - where is outbound request? So I believe Buster_BSA explanation is more correct.