[Sneakyone]

I have a case of the new TDL variant it infected Explorer.exe and wininit.exe, so I assume it will infect 2 of those 3 confirmed for the moment.

Infizierte Kopie von c:\windows\explorer.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe wurde wiederhergestellt

Infizierte Kopie von c:\windows\System32\wininit.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe wurde wiederhergestellt

It didn't seem to infect a random driver though? Perhaps a different malware then TDL?

[4everyone]

Here is the Virus-Total link for the Infected "Winlogon.exe" & "Explorer.exe". Can someone check this and say whether this is Variant of TDL3 Family / any.. ?

Explorer.exe
http://www.virustotal.com/file-scan/rep ... 1282075880

Winlogon.exe
http://www.virustotal.com/file-scan/rep ... 1282075736

[bytejammer]

Indeed. ComboFix has captured the infection from recent sample, and deleted it, but did not get it all disinfected.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

This infection is very likely caused by a new variant of Bamital. I have seen a dramatic increase on the number of infections so far. Perhaps it is also dropped by TDL3? I have attached the Bamital.C dropper for your convenience. If anyone has more info on this, please share.

[bytejammer]

Here is the Virus-Total link for the Infected "Winlogon.exe" & "Explorer.exe". Can someone check this and say whether this is Variant of TDL3 Family / any.. ?

Explorer.exe
http://www.virustotal.com/file-scan/rep ... 1282075880

Winlogon.exe
http://www.virustotal.com/file-scan/rep ... 1282075736

What I have seen so far is that the Explorer.exe and Winlogon.exe infection is each time different (hash). But so far that is the only similarity I could find with TDL3.

Edit: Also the mentioned files in the dllcache folder get infected. If you copy a fresh Explorer.exe to the dllcache folder it gets immediately infected.

[SecConnex]

The only issue with saying it is Bamital, is that Bamital does not infect system files.

Bamital always gets installed by other malware, and never gets distributed on its own. It is more trojan/adware based, rather than backdoor based.

On a couple of my tests, Trojan.Bamital was seen constantly changing Winsock Settings. It also connects and transfers personal information to a private server. It is known to drop some moronic files, but nothing completely damaging like file infection.

IMHO, it looks a lot like Backdoor.BDS/small

[EP_X0FF]

Unfortunately working sample currently is unavailable.

New rootkit is TDL3 variant with a lot of customization. Version downed to 0.1, C&C library changed, most of files renamed, more files added to encrypted rootkit fs.
More interesting part is that it seems to be now playing with MBR and can be x64 compatible (loader 64 binary found).

Here is dropper of another TDL3 modification (new tdlcmd.dll and config.ini).

Internally tdlcmd.dll contains some sort of blacklist

%s mbam.exe spybotsd.exe combofix.exe superantispyware.exe mrt.exe

[main]
version=3.273
id=xxx
installdate=xxx
reboots=2
[injector]
*=tdlcmd.dll

[bytejammer]

The only issue with saying it is Bamital, is that Bamital does not infect system files.

Just drop the sample I have attached to the post above into a virtual machine. You will see that Winlogon.exe and Explorer.exe get infected. Microsoft, Avast and Ikarus designate both dropper and infection as Bamital.

Interesting thing is that they cannot remove the infection.

[SecConnex]

Right. Which is why I said it is closely related to BDS\Small.

[4everyone]

Any clue on how to fix the New Variant/Version of TDL3 ? I do have noticed few pc's in which RKU shows "atapi.sys" as "Suspicious Modification" & RKU doesn't find "Virus alike Modified" file..

RootRepeal Version 2 just shows atapi all over. It doesn't show the Modified entry point. Combofix doesn't have any clue in these pc's.

Bottomline - No clue with all the majestic Tools. :)

[EP_X0FF]

Without proper dropper it is impossible to say something predict. From preliminary forensic analysis - probably all ARK will need an small update.