[Eric_71]

Hello,

Does this bootkit working normally on x32, anybody? It renders x64 Windows XP to death BTW.

For me it also crashes frequently on XP sp3 (x86) these days (before it worked properly ..) even formatted with a fresh installation.
I have not had time to look more

[t4L]

Hmm, strange, so i dont have real TDLx64 sample. Gotta dig some more.

[EP_X0FF]

http://www.kernelmode.info/forum/viewto ... 2354#p2354 ?

[Blitskrieg]

I've noticed that TDSSKiller "works" on Windows 7, but after a reboot replaces MBR code from Windows XP according to MBRCheck with a different SHA1 than the original Windows 7.

Yes, it restores standard WinXP MBR code for tdl4 cure. Normal cure will be added later.

[frank_boldewin]

Hello,

Does this bootkit working normally on x32, anybody? It renders x64 Windows XP to death BTW.

For me it also crashes frequently on XP sp3 (x86) these days (before it worked properly ..) even formatted with a fresh installation.
I have not had time to look more

i've noticed that there's a bug in the dropper, causing an app-crash under winxp-sp3. but it can be easily patched without harming the rest of the code flow.
maybe an optimization bug.

[t4L]

http://www.kernelmode.info/forum/viewto ... 2354#p2354 ?

Thanks EP :D

[PX5]

The installers run find on x86 here for long time, new addition for me, my bulletproof Belkin Router has been whacked 2 times in the last 24h

There is new sploit code out for easy access into MAC Addies I know, but Ive never had tdl whack me router.

Here is an installer that I pulled off a friends machine whos Linksys Cable Gateway also got whacked but I can not make it replicate, if anyone else wants to try.

[rossetoecioccolato]

Did you get the firmware off the router?

[EP_X0FF]

This is TDL3+ with updated tdlcmd.dll (3.95).

[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
botid=74f8e63e-5915-4beb-a4e7-44bba20d02e1
affid=11516
subid=1
installdate=7.9.2010 13:11:17
builddate=2.8.2010 10:23:9
rnd=1935655697
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://0o0o0o0o0.com/;hxxps://61.61.20.132/;hxxps://rukkieanno.in/;hxxps://61.61.20.135/;hxxps://nyewrika.in/;hxxps://68b6b6b6.com/;hxxps://34jh7alm94.asia/;hxxps://873hgf7xx60.com/;hxxps://1iii1i11i1ii.com/;hxxps://jro1ni1l1.com/
wspservers=hxxp://lk01ha71gg1.cc/;hxxp://zl091kha644.com/;hxxp://a74232357.cn/;hxxp://a76956922.cn/;hxxp://91jjak4555j.com/
popupservers=hxxp://cri71ki813ck.com/
version=3.95

[Blitskrieg]

I've noticed that TDSSKiller "works" on Windows 7, but after a reboot replaces MBR code from Windows XP according to MBRCheck with a different SHA1 than the original Windows 7.

Yes, it restores standard WinXP MBR code for tdl4 cure. Normal cure will be added later.

Implemented, TDSSKiller build 2.4.2.1.