[rkhunter]

Couple of samples of Trojan:Win32/Alureon.FE referenced in the article

7c2d273c453ed366e80807f678e0d633
http://www.virustotal.com/file-scan/rep ... 1315775582

db9984106cc88700c035c545c21d5aae
http://www.virustotal.com/file-scan/rep ... 1314922124

And here Microsoft shows excellent results, one vendors, who correctly detect Tdss droppers (as Trojan:Win32/Alureon).
Other detections, it seems, were taken from Kaspersky (names) or 'generic'.

[rough_spear]

HI All, :D
W32.Jorik dropper and dropped file.

File name - 531-01.exe
VT link - http://www.virustotal.com/file-scan/rep ... 1317995335

File name - E33D.tmp
virusscan link - http://virusscan.jotti.org/en/scanresul ... 93ea93671d

Regards,


rough_spear. ;)

[EP_X0FF]

HI All, :D
W32.Jorik dropper and dropped file.

File name - 531-01.exe
VT link - http://www.virustotal.com/file-scan/rep ... 1317995335

File name - E33D.tmp
virusscan link - http://virusscan.jotti.org/en/scanresul ... 93ea93671d

This is FakeAV and it's friend Alureon from F series (Alureon.FE/L variant).

In attach decrypted

[EP_X0FF]

We are little surprised that nobody didn't posted anything about this new rootkit based on updated TDL4 engine. Where all these fairy tales, "serious threat" like in case of bioskit? :) PR machine is broken, captain obvious co-player went on vacation? Nothing to write maybe? Yes it's more in beta stage, but anyway :)

[rkhunter]

I think that many people took this information (post with name "A tale of grannies, Chinese herbs, Tom Cruise, Alureon and steganography") is not entirely correct. Wrote (in news) that TDSS(!) received new update. Probably many do not even know that it's not original TDL. Maybe if Kasperky or Dr.Web call it as .tdss it is not quite true. But Microsoft, as I understand, has its own internal naming system of droppers, in my opinion it is very different from Kaspersky or Dr.Web. I can see that Microsoft terminology more correct, because the names given droppers very meaningful! =)

[rkhunter]

Perhaps EP_XOFF will open the mystery of how Microsoft accurately refers to as tdl-based droppers, including their versions? =)

[kmd]

this new rk is interesting. more intersting than bioskit (pr shit "we all gone die, serious threat"), new legit way of exploiting mbr :D

@rkhunter

as everywhere guess - honeypots, controlled c&c + good emulator to break the obfuscation where all others detects by crypters

[rkhunter]

@kmd
I think Microsoft is suitable more professionally and efficiently to the addition of droppers and their classification. What the dropper was added as Alureon.FL/E says that the name was added to his hands, it does not work the robot, as in the case of others. Moreover, the classification, in my view, higher capacity because it says TDL-based engine.

[frank_boldewin]

find attached all decrypted ressources from the dropper.

pw: malware

NAME ---> just a string "chromeupdtr.exe"
AFFID ---> just a string "5"
SUBID ---> just a string "ctest70"

VBR
BOOT
CMD32
CMD64
DBG32
DBG64
DRV32
DRV64
LDR32
LDR64
MAIN ----> this is the CFG-File.

[rkhunter]

ESET wrote about MaxSS, called it TDL4
http://blog.eset.com/2011/10/18/tdl4-rebooted