A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #697  by NeonFx
 Wed Apr 14, 2010 3:54 am
I wonder if it makes a difference if you run Hitman Pro in Safe Mode. The infection wouldn't be loaded if the driver isn't loaded.
 #698  by EP_X0FF
 Wed Apr 14, 2010 3:59 am
They are system drivers. TDL seems to be checks driver group before infection.
C:\WINDOWS\system32\drivers\intelide.sys
Group - System Bus Extender.

edit:
I did some experiment with latest TDL3. It works in safe mode perfectly.
Attachments
tdl3.JPG
tdl3.JPG (58.81 KiB) Viewed 473 times
Last edited by EP_X0FF on Wed Apr 14, 2010 7:38 am, edited 2 times in total. Reason: added some info
 #704  by gjf
 Wed Apr 14, 2010 10:39 am
STRELiTZIA wrote:Hi,
Updated for fun :)
TDL3+ Cleaner 1.1
Tested on Windows Xp Sp2 and Sp3
Working with "Copy/Restore" exploit...
Sorry, but it does not work! OK, details....

I have used VMWare 7.0.1 build-227600 with WinXP SP3 Pro and altest updates. I have performed initial scan by VBA32 to be sure the system is clean.
VBA32 log after infection and reboot
(23.57 KiB) Downloaded 52 times
. After that I have infected the system and reboot. Then perform the second scan by VBA32 to see that system is infected.
Initial VBA32 log
(23.28 KiB) Downloaded 48 times
So I ahve started the file and install the service. After starting the process the PC beeps one time so I have rebooted the system. During the booting the message "pci.sys file is absent" was shown and booting stopped. I have no idea what's wrong with pci.sys (another driver was infected, it is clear from logs) and what's wrong at all.

So - no good! :(

AFAIK DrWeb cureIt utility cures TDL3, but there are a number of bugs with controllers other than ATA (especially SCSI, SATA etc). Another bug is BSOD with TrueCrypt partitions no matter is infection present or not.

So still have to wait. :roll:
 #706  by nullptr
 Wed Apr 14, 2010 12:36 pm
The TDL3+Cleaner Test Release from last week works fine as long as you identify the correct driver. The TDL3+ Cleaner 1.1 seems to delete a driver causing boot failure.
xp sp3 in Virtual PC.
 #715  by djpnuemo
 Wed Apr 14, 2010 3:14 pm
nullptr wrote:The TDL3+Cleaner Test Release from last week works fine as long as you identify the correct driver. The TDL3+ Cleaner 1.1 seems to delete a driver causing boot failure.
xp sp3 in Virtual PC.
i had the same problem on a test machine (non-virtual).
 #718  by djpnuemo
 Wed Apr 14, 2010 6:49 pm
STRELiTZIA wrote:Thanks for reports :)
Attached Test Release with New option to manually add the second infected driver name.
using "Gmer" to get the second infected driver name.
appreciate the update.

i ran it and entered the second driver found, tcpip.sys, and now cannot browse. done all normal tcp/ip resets/reinstalls to no avail. infection is gone though! ;)
 #720  by InsaneKaos
 Wed Apr 14, 2010 10:08 pm
Recovery Console and a batch-script mostly can do the whole job. I've atteched a batchfile that should find and remove TDL in two steps with the RC.
Attachments
(1 KiB) Downloaded 67 times
 #721  by gjf
 Wed Apr 14, 2010 10:17 pm
InsaneKaos, did you test your script on infected systems? I don't believe simple fc command will reveal rootkit. AFAIK TDL3 gives original unpatched file during file operations, doesn't it?
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12
  • 40