A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2093  by Sneakyone
 Thu Aug 19, 2010 8:36 pm
I have a case of the new TDL variant it infected Explorer.exe and wininit.exe, so I assume it will infect 2 of those 3 confirmed for the moment.

Infizierte Kopie von c:\windows\explorer.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe wurde wiederhergestellt

Infizierte Kopie von c:\windows\System32\wininit.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe wurde wiederhergestellt

It didn't seem to infect a random driver though? Perhaps a different malware then TDL?
 #2095  by bytejammer
 Thu Aug 19, 2010 9:25 pm
DragonMaster Jay wrote:Indeed. ComboFix has captured the infection from recent sample, and deleted it, but did not get it all disinfected.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

This infection is very likely caused by a new variant of Bamital. I have seen a dramatic increase on the number of infections so far. Perhaps it is also dropped by TDL3? I have attached the Bamital.C dropper for your convenience. If anyone has more info on this, please share.
Attachments
Password: infected
(30.23 KiB) Downloaded 79 times
 #2096  by bytejammer
 Thu Aug 19, 2010 9:32 pm
4everyone wrote:Here is the Virus-Total link for the Infected "Winlogon.exe" & "Explorer.exe". Can someone check this and say whether this is Variant of TDL3 Family / any.. ?

Explorer.exe
http://www.virustotal.com/file-scan/rep ... 1282075880

Winlogon.exe
http://www.virustotal.com/file-scan/rep ... 1282075736
What I have seen so far is that the Explorer.exe and Winlogon.exe infection is each time different (hash). But so far that is the only similarity I could find with TDL3.

Edit: Also the mentioned files in the dllcache folder get infected. If you copy a fresh Explorer.exe to the dllcache folder it gets immediately infected.
 #2098  by SecConnex
 Fri Aug 20, 2010 2:29 am
The only issue with saying it is Bamital, is that Bamital does not infect system files.

Bamital always gets installed by other malware, and never gets distributed on its own. It is more trojan/adware based, rather than backdoor based.

On a couple of my tests, Trojan.Bamital was seen constantly changing Winsock Settings. It also connects and transfers personal information to a private server. It is known to drop some moronic files, but nothing completely damaging like file infection.

IMHO, it looks a lot like Backdoor.BDS/small
 #2101  by EP_X0FF
 Fri Aug 20, 2010 3:35 am
Unfortunately working sample currently is unavailable.

New rootkit is TDL3 variant with a lot of customization. Version downed to 0.1, C&C library changed, most of files renamed, more files added to encrypted rootkit fs.
More interesting part is that it seems to be now playing with MBR and can be x64 compatible (loader 64 binary found).

Here is dropper of another TDL3 modification (new tdlcmd.dll and config.ini).

Internally tdlcmd.dll contains some sort of blacklist
%s mbam.exe spybotsd.exe combofix.exe superantispyware.exe mrt.exe
[main]
version=3.273
id=xxx
installdate=xxx
reboots=2
[injector]
*=tdlcmd.dll
Attachments
pass: malware
(128.31 KiB) Downloaded 87 times
 #2106  by bytejammer
 Fri Aug 20, 2010 6:01 am
DragonMaster Jay wrote:The only issue with saying it is Bamital, is that Bamital does not infect system files.
Just drop the sample I have attached to the post above into a virtual machine. You will see that Winlogon.exe and Explorer.exe get infected. Microsoft, Avast and Ikarus designate both dropper and infection as Bamital.

Interesting thing is that they cannot remove the infection.
 #2109  by 4everyone
 Fri Aug 20, 2010 7:08 am
Any clue on how to fix the New Variant/Version of TDL3 ? I do have noticed few pc's in which RKU shows "atapi.sys" as "Suspicious Modification" & RKU doesn't find "Virus alike Modified" file..

RootRepeal Version 2 just shows atapi all over. It doesn't show the Modified entry point. Combofix doesn't have any clue in these pc's.

Bottomline - No clue with all the majestic Tools. :)
 #2110  by EP_X0FF
 Fri Aug 20, 2010 7:16 am
Without proper dropper it is impossible to say something predict. From preliminary forensic analysis - probably all ARK will need an small update.
  • 1
  • 31
  • 32
  • 33
  • 34
  • 35
  • 40