[spaceman]

What tools/techniques do people use to view the TDL3 config.ini information, like version number, install date, etc.? The analysis articles that I've seen don't do a very good job of walking you through the process of decoding it.

[EP_X0FF]

How about this http://www.kernelmode.info/forum/viewto ... f=10&t=253 ?

addition:

Usually such files recovered from encrypted TDL file system by internal tools/dumpers or from memory by special memory forensic tools. As you may understand publishing them will lead (sooner or later) to their bypassing by tdl authors. So you need to write/do it yourself.

[Cr4sh]

TDL3_extract.exe tool, that can exctract files from all of the TDL3 (except bootkit versins) volumes can be found in eSage Lab TDSS Remover package:
http://esagelab.com/resources.php?s=tdss_remover

Usage example (in Russian, use google translate):
http://cr4sh-0x48k.livejournal.com/43746.html

Also I attached binary and source files of the tool, for extraction files from TDL3+ (bootkit) volumes (active infection must be cured befor use it).