A forum for reverse engineering, OS internals and malware analysis 

Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Forum for analysis and discussion about malware.

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #6242  by InsaneKaos
 Sun May 08, 2011 2:23 am
Here is another sample with some improvements. aswMBR wasn't able to remove it, but detected TDL4. mbr.exe missed it. TDSSKiller still got it. I did not use any other tools, yet. Tested on Windows XP Sp3 (atapi + iaStor).

From the config.ini
Code: Select all
[main]
version=0.03
aid=40787
sid=0
builddate=351
rnd=1482476501
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://4tag16ag100.com/;hxxps://zna61udha01.com/;hxxps://dg6a51ja813.com/;hxxps://7gaur15eb71.com/;hxxps://ka18i7gah10.com/
wsrv=hxxp://bangl24nj14.com/;hxxp://lkeopee32.com/;hxxp://63.223.106.16/;hxxp://63.223.106.17/;hxxp://iau71nag001.com/;hxxp://baj19kall10.com/
psrv=hxxp://cikh71ynks66.com/;hxxp://clkh71yhks66.com/
version=0.15
VT-Report: http://www.virustotal.com/file-scan/rep ... 1304819009
Attachments
pw=infected
(132.6 KiB) Downloaded 100 times

Re: Rogue antimalware (FakeAV, FakeAlert)

 #6286  by EP_X0FF
 Wed May 11, 2011 12:10 pm
markusg wrote:Download Accelerator Plus (9.6.).exe
http://www.virustotal.com/file-scan/rep ... 1305109828
Muldrop, drops TDL4
[main]
version=0.03
aid=30000
sid=3
builddate=351
rnd=1645522239
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15
Along with TDL4 install some VB junk, see attach
Attachments
pass: malware
(60.26 KiB) Downloaded 82 times

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #6409  by Meriadoc
 Thu May 19, 2011 12:50 am
VT - 5/43 http://www.virustotal.com/file-scan/rep ... 1305764606

update to usermode component?

from cfg.ini
Code: Select all
[main]
version=0.03
aid=40787
sid=0
builddate=351
rnd=602162358
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://4tag16ag100.com/;hxxps://zna61udha01.com/;hxxps://dg6a51ja813.com/;hxxps://7gaur15eb71.com/;hxxps://ka18i7gah10.com/
wsrv=hxxp://bangl24nj14.com/;hxxp://lkeopee32.com/;hxxp://63.223.106.16/;hxxp://63.223.106.17/;hxxp://iau71nag001.com/;hxxp://baj19kall10.com/
psrv=hxxp://cikh71ynks66.com/;hxxp://clkh71yhks66.com/
version=0.175
Attachments
pass=malware
(210.89 KiB) Downloaded 66 times

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #6551  by EP_X0FF
 Fri May 27, 2011 8:13 am
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1306435508
[main]
version=0.03
aid=30041
sid=0
builddate=351
rnd=602162358
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.175
data in attach
I'll try to merge your posts with samples in one because actually thats the same recrypted bot.
Attachments
pass: malware
(72.25 KiB) Downloaded 57 times

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #6563  by markusg
 Fri May 27, 2011 4:36 pm
dll.exe
http://www.virustotal.com/file-scan/rep ... 1306514048

i.exe
http://www.virustotal.com/file-scan/rep ... 1306586293

dll.exe
http://www.virustotal.com/file-scan/rep ... 1306760505

dll.exe
http://www.virustotal.com/file-scan/rep ... 1306860743
Attachments
pass for archives inside: infected
(520.71 KiB) Downloaded 67 times
Last edited by EP_X0FF on Wed Jun 01, 2011 4:53 pm, edited 1 time in total. Reason: merged few posts with attaches in one
  • 1
  • 44
  • 45
  • 46
  • 47
  • 48
  • 60
 Return to “Malware”