[EP_X0FF]

C&C library updated to 3.75, probably few days ago, but nobody does not noticed that (at least here).

Has a good detection rate on VirusTotal probably just because it is quite old -> 1.5 days.

[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.273
botid=
affid=
subid=0
installdate=15.5.2010 16:39:50
builddate=15.5.2010 4:10:6
rnd=507921405
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://li1i16b0.com/;https://19js810300z.com/;https://lj1i16b0.com/;https://zz87jhfda88.com/;https://n16fa53.com/;https://01n02n4cx00.cc/
wspservers=http://7gafd33ja90a.com/;http://n1mo661s6cx0.com/;http://30xc1cjh91.com/;http://j00k877x.cc/;http://m01n83kjf7.com/
popupservers=http
version=3.75

Readable strings data dump (only IP's/servers are interesting of course)

%s\%s.tmp ObtainUserAgentString urlmon.dll Mozilla/4.0 (compatible; MSIE 1.0; Windows NT; CMD3) .dll %s\%s http://www.google. /search & ?q= &q= search.yahoo.com ?p= &p= http://www.bing.com http://www.ask.com /web search.aol.com /aol/search ?query= &query= / :// .google. .yahoo.com .bing.com .live.com .msn.com .ask.com .aol.com .google-analytics.com .yimg.com upload.wikimedia.org img.youtube.com .powerset.com .aolcdn.com .blinkx.com .atdmt.com .othersonline.com .yieldmanager.com .fimserve.com .everesttech.net .doubleclick.net .adrevolver.com .tribalfusion.com .adbureau.net .abmr.net ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890 software\classes\http\shell\open\command %s-%s %1d.%1d %04d SP%1d.%1d
%u|%u 3.72 ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s msie 7.0 1.6 clk=%s&bid=%s&aid=%s&sid=%s&rd=%s HTTP/1.1 302 Found
Location: %s
Content-Length: 0
Connection: close
<html><head><script type="text/javascript">function f(){var url="%s";try{var x=document.getElementById("_a");x.href=url;x.click()}catch(e){try{var x=document.getElementById("_f");x.action=url;x.submit()}catch(e){}}}</script></head><body onload="f()"><a id="_a"></a><form id="_f" method="get"></form></body></html> HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Content-Type: text/html
Content-Length: %d
Connection: close
%s <html><body onload="javascript:history.back()"></body></html> http://%s%s S : ( M L ; ; N W ; ; ; L W ) {a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7} {452fefe0-a06e-400f-8d6b-6a12a0a09d4b} {cc51461b-e32a-4883-8e97-e0706dc65415} keywords ; %s http://%s/?xurl=%s&xref=%s %s %s 1.5|%s|%s|%s|%s|%s|%s ?xurl= &xref= get
http/1.
host:
referer:
user-agent: msie 8.0 mozilla opera
X-Moz: prefetch
%s.dll kernel32.dll kernelbase .text .rdata tdl dll *%s tasks !%s %d%d%d%d%d%d !*%s tdlcmd DownloadCrypted DownloadAndExecute DownloadCryptedAndExecute Download ConfigWrite % S %x %f %d %[^.].%[^(](%[^)]) botnetcmd LoadExe |nocommand 3.75 %s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s%s https://873hgf7xx60.com/;https://34jh7alm94.asia/;https://112.121.181.26/;https://61.61.20.132/;https://68b6b6b6.com/;https://1iii1i11i1ii.com/;https://0o0o0o0o0.com/ servers retry %u knt main windowsupdate
Content-Type: text/html
Transfer-Encoding: chunked
Content-Length: HTTP/1.1 200 OK
mswsock.dll ws2_32 WSAStartup WSASocketA WSPStartup mswsock %[^=]=%s) svchost.exe WinSta0\Default botid affid subid 3.x version installdate builddate rnd Internet Explorer_Server W e b B r o w s e r A b u y o r d e r b a s k e t waveOutOpen winmm.dll 3А@В s v c h o s t % s - % d user32.dll GetCursorPos ole32.dll CoCreateInstance software\microsoft\internet explorer\main\featurecontrol\FEATURE_BROWSER_EMULATION maxhttpredirects software\microsoft\windows\currentversion\internet settings enablehttp1_1 currentlevel software\microsoft\windows\currentversion\internet settings\zones\3 1601 1400 software\microsoft\internet explorer\international acceptlanguage http://%s/?xurl=%s&xref=%s atl.dll AtlAdvise AtlUnadvise AtlAxCreateControlEx SysFreeString oleaut32.dll http://mfdclk001.org/ clkservers delay http://lk01ha71gg1.cc/;http://zl091kha644.com/;http://a74232357.cn/;http://a76956922.cn/;http://91jjak4555j.com/ wspservers http://cri71ki813ck.com/ popupservers ntdll KiUserExceptionDispatcher ZwProtectVirtualMemory ZwWriteVirtualMemory kernel32 wsock32 wininet netsvcs 9e6af8f3-75f3-4b67-877a-c80125d7bc08 *explore* *firefox* *chrome* *opera* *safari* *netscape* *avant* *browser* *wuauclt* config.ini

[gjf]

The noise around this problem increases: a new review about TDL3 infection (unfortunately, in Russian only). The most interesting is a ring diagram with statistics of infected systems with installed antiviruses.

Epic fail for main antivirus vendors? Who knows...

[Eric_71]

Hi,

in Russian only

>> English translation <<


;)

[Blitskrieg]

TDSSKiller updated (2.3.0) - http://support.kaspersky.com/viruses/so ... =208280684

No more memory scan, only file checking through raw i/o.

[a_d_13]

Hello,

Thank you for letting us know :)
I can confirm - on VM, latest version of TDSSKiller removes the newest version of TDL3.

Thanks,
--AD

[gjf]

I have tested TDSS Killer on beta-stage on different congiguration including real systems (not virtual ones). All tested passed well, TDL3 was removed. It was true for differtent version of this rootkit.

[EP_X0FF]

eSage TDSS Remover v1.7.5.1 as well as latest Dr.Web 6.0 is able to detect and remove 3.273+

[gjf]

as well as latest Dr.Web 6.0

Do you mean a pre-installed antivirus or portable free CureIt! version?
I've heard about CureIt! effectivity against TDL3, but not about DrWeb itself. So it would be an interesting news just because CureIt! has problems with TrueCrypt partitions as well as with SCSI / Primary SATA access. Either Danilov has solved these problems or they have been moved to the main product - DrWeb.

[EP_X0FF]

It was beta version.

[gjf]

It was beta version.

Which one - was? CureIt! in past or DrWeb (which able to cure TDL3) now?