[EP_X0FF]

I suggest we let EP_X0FF decide how we should address this variant.

I call it TDL 3.5 :) or TDL3++

Not sure if it still belongs to same dev team, maybe it's actual name something like "Xyita 0.2" :))

[SecConnex]

Ahh...very well.

Would the operation of it be similar to a bootkit?

[sww]

I call it TDL 3.5 :) or TDL3++
Not sure if it still belongs to same dev team, maybe it's actual name something like "Xyita 0.2" :))

LOOOOL! :)

But in KL we will call it TDL4, 'coz of x64 and MBR infection mechanism.

[notkov]

You got it wrong, but you have some imagination... Too bad it did not not help you recognize the RC4 function in the MBR code.

Ok, so besides RC4 part that i didn't recognize, why did I get it wrong?
Some older TDL3 versions only had XOR encryption. I'm not really sure when that changed, but that can be easily checked. I do not understand that sarcasm from what are you saying.

[s23]

Nope, a simple single No prevented the file from running. Even if it was an infinite loop of UAC messages, that would only make it obvious it's malicious.

You could obtain an infinte loop if p1 (that doesn't need admin rights) drops in temp-dir p2 (that needs admin rights) and does a CreateProcess in a loop, until the process is created (let's say, signaled by a mutex). It would make it obvious it's malware? Belive me, most users will hit 'Yes' without even reading the warning.

Think can be circumvented changing the UAC local policies:

"Detect applications installations and prompt for elevation" : Disabled
and
"Only elevate executables that are signed and validated" : Enabled

Edit: typo

[kakaraka]

You got it wrong, but you have some imagination... Too bad it did not not help you recognize the RC4 function in the MBR code.

Ok, so besides RC4 part that i didn't recognize, why did I get it wrong?
Some older TDL3 versions only had XOR encryption. I'm not really sure when that changed, but that can be easily checked. I do not understand that sarcasm from what are you saying.

Because it's about what the threat does, and not what I or you could do, unless you (or maybe I) do want to be (or are already are) one of those zombies spreading it.

[notkov]

Because it's about what the threat does, and not what I or you could do, unless you (or maybe I) do want to be (or are already are) one of those zombies spreading it.

Well, you got it wrong then :) We are talking about malware(TDL) here and possible threats (past/present/future).
Don't worry, I'm not spreading malware, only on my test systems maybe :)) . And I'm sure you are not doing that either. And I do not think that this forum is an inspiration for blackhats.

[fatdcuk]

Untested yet suspected TDL3 dropper.

http://www.virustotal.com/file-scan/rep ... 1283279256

[Alex]

Yes this is TDL3 dropper.

[main]
version=3.273
id=be3fa69006e0d04e510bd440118518098807
installdate=1283283321
[injector]
*=tdlcmd.dll

[fatdcuk]

Another novel dropper, tested by proxy over messenger (Danke PX5 ;))

http://www.virustotal.com/file-scan/rep ... 1283281751

This one needs to stew for a bit...