[EP_X0FF]

Updated to 3.747 (dropper attached), new configuration values.

[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.273
installdate=1.5.2010 4:35:54
builddate=30.4.2010 1:45:9
rnd=343818398
knt=1272689013
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://li1i16b0.com/;https://19js81030 ... n4cx00.cc/
wspservers=http://7gafd33ja90a.com/;http://n1mo661 ... 3kjf7.com/
version=3.747

VirusTotal
http://www.virustotal.com/ru/analisis/a ... 1272688871
http://www.virustotal.com/ru/analisis/f ... 1272688878

[cjbi]

Interesting blog post from Symantec.

The Trojan.Mebroot and Backdoor.Tidserv Crossover

The print processor names are the strings “TDL4” and “TDL5”, which are typically found in Tidserv samples, in particular the Tidserv installer was creating a print processor named “tdl”. The last version of Tidserv was named TDL3. By using these tags, is Mebroot trying to pretend to be a new Tidserv version? Are they just trying to throw smoke in the eyes of the analysts? Who knows!

[EP_X0FF]

Hehe, thanks for info, so it likely partially sold?

[Elite]

That might explain the lack of rootkit updates in TDL3+ funpack during the past month or two.

Also, is Symantec referring to Ghost Shadow or the old Mebroot (from a year or two ago, also know as Sinowal) in the above blog post?

It's going to be an interesting summer.

[gjf]

I don't understand you, guys. Yes, this Mebroot uses the same mechanism to overcome HIPS protection just like TDL3. Frankly speaking TDL3 moved a step further: it doesn't use AddPrintProcessor, but AddPrintProvidor.
So what? The author of bootkit studied a new effective way to drop the malware. There is no any mention about MBR modification and about kernel loader. No any information about rootkit mechanism. Some time ago Prevx "experts" informed about new bootkit version. And the only symptom they mentioned was:

If you haven't installed Prevx and you want to check if your system is infected by MBR rootkit, it's possible to check inside Windows directory, under the Temp subdirectory (%windir%\Temp) for the presence of a hidden file with its name starting with "$$$". If there is such fle, your PC could be affected by the MBR rootkit.

It is very clever! I believe Prevx thinks they are the best AV vendor at the market after such wise words :)

The same - at Symantec. No real study of the rootkit activity, but dropping mechanism "has caught eyes".

[EP_X0FF]

Some time ago Prevx "experts" informed about new bootkit version.

Hehe, I never considered Giuliani's words by truth. Especially when he found relation between callbacks and $$$ =)
This is comedy section from MD5 calculator writers.

[obse]

That might explain the lack of rootkit updates in TDL3+ funpack during the past month or two.

They keeped updated, but don't change the version number. For example they change the place for "magic" const, now it is inside srb packed :lol:

Also, is Symantec referring to Ghost Shadow or the old Mebroot (from a year or two ago, also know as Sinowal) in the above blog post?

"Ghost Shadow" very buggy chinese malware :) infected system is very unstable
symantec talk about old mebroot

[notkov]

They keeped updated, but don't change the version number. For example they change the place for "magic" const, now it is inside srb packed :lol:

Do you have a sample?

Thank you.

[EP_X0FF]

Hello,

there is no need to ask for samples that are multiple attached in this thread at previous pages.

Regards.

[notkov]

[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.273
botid=55045ff5-72b5-4a95-8c6b-5e958b314602
affid=20082
subid=0
installdate=6.5.2010 16:5:57
builddate=4.5.2010 20:10:5
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://li1i16b0.com/;https://19js81030 ... n4cx00.cc/
wspservers=http://7gafd33ja90a.com/;http://n1mo661 ... 3kjf7.com/
popupservers=http
version=3.741

VirusTotal:
http://www.virustotal.com/analisis/9ce9 ... 1273163214

Nice strings inside:
"Hello Semantec :) Nice to meet you here"
"Semantec, I love you :)"