A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6364  by Meriadoc
 Tue May 17, 2011 2:24 pm
EP_X0FF wrote:TDL3 is back as remake from TDL4 authors.
1.1 working well :)
Code: Select all
[main]
version=1.1
botid=
affid=10093
subid=1
installdate=16.5.2011 10:52:24
builddate=16.5.2011 4:8:57
[injector]
svchost.exe=cmd.dll;clc.dll
iexplore.exe=module.dll;clc.dll
firefox.exe=module.dll
chrome.exe=module.dll
safari.exe=module.dll
maxthon.exe=module.dll
[cmd]
servers=hxxp://4antarhsm11109988992.com/version;hxxp://59.91.189.45/version;hxxp://93.73.11.25/version;hxxp://zighen.com/version;hxxp://perfect-strive.com/version;hxxp://jeanclaudefishmealsystems.com/version
version=1.0
[injects]
clc=***
VT - 13/41 http://www.virustotal.com/file-scan/rep ... 1305542886
Attachments
pass=malware
(86 KiB) Downloaded 78 times
 #6966  by EP_X0FF
 Tue Jun 28, 2011 3:04 pm
Stuff still alive and kicking.
[main]
version=1.1
botid=3f1b98c6-07dd-4f7d-a650-30bb6f39b0a3
affid=10034
subid=1
installdate=28.6.2011 14:51:58
builddate=16.6.2011 14:43:59
[injector]
svchost.exe=cmd.dll
[cmd]
servers=hxxp://4antarhsm11109988992.com/version;hxxp://59.91.189.45/version;hxxp://93.73.11.25/version;hxxp://zighen.com/version;hxxp://perfect-strive.com/version;hxxp://jeanclaudefishmealsystems.com/version
version=1.0
In attach dropper, unpacked dropper, dump of all TDL VFS (including some new file called tests)

http://www.virustotal.com/file-scan/rep ... 1308977118
Attachments
pass: malware
(159.44 KiB) Downloaded 85 times
 #6986  by EP_X0FF
 Thu Jun 30, 2011 2:17 am
Of course no :) I would never use third party software. All dumps done through internal detector/remover tool developed for original TDL3 landed in October 2009, long before ESET started PR on this rootkit.
 #7047  by EP_X0FF
 Sun Jul 03, 2011 8:53 am
Few TDL3 mods captured few days ago, just got some time to look at them :)

TDL cmd (v2.0) contains hardcoded link to drop zone that gives some additional malware and TDL4.

hxxp://188.229.88.9/ (fake security warning page, payload http://188.229.88.9/update.php)

All droppers in attach.
[main]
version=1.1
botid=3f1b98c6-07dd-4f7d-a650-30bb6f39b0a3
affid=543
subid=1
installdate=3.7.2011 8:45:48
builddate=23.6.2011 1:45:54
[injector]
svchost.exe=cmd.dll
[cmd]
servers=hxxp://4antarhsm11109988992.com/version;
hxxp://59.91.189.45/version;hxxp://93.73.11.25/version;
hxxp://zighen.com/version;hxxp://perfect-strive.com/version;
hxxp://jeanclaudefishmealsystems.com/version
[main]
version=0.03
aid=3
sid=1
builddate=351
installdate=3.7.2011 8:33:41
rnd=436374069
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://i0m71gmak01.com/;
hxxps://0imh17agcla.com/;hxxps://jna0-0akq8x.com/
wsrv=hxxp://u-a-d-1come.com/;
hxxp://z0a-adotcom.com/;hxxp://61zra71kf-a.com/
psrv=hxxp://amazeyapcell.com/;hxxp://8hqka--acom.com/
version=0.1763
Attachments
pass: malware
(323.6 KiB) Downloaded 87 times
 #7904  by sugar
 Tue Aug 09, 2011 7:53 am
Hello, im looking for z00clicker.dll, md5 ca7fab973f6670e67f37bf323fce92b8. Thanks.
 #7905  by EP_X0FF
 Tue Aug 09, 2011 8:42 am
sugar wrote:Hello, im looking for z00clicker.dll, md5 ca7fab973f6670e67f37bf323fce92b8. Thanks.
Extract from TDL manually.
Attachments
pass: malware
(81.38 KiB) Downloaded 75 times
 #8689  by icr
 Thu Sep 22, 2011 5:37 am
Some more TDSS programs(renamed *._exe)

7C205EF7013B2C69EA4ED6FE8C8AB48F
2443FD7AF22F6FE726B1F7E579AA57D9
B3F6A1649AB556EC00F71C116B1A9C84
CB91B8695D3990B5B5EAE8A714BD357E
D99308C180D3725DD95663BB14144014
ECF01929D41C2DDE974168E0867C2F0D
FBD379B7F107D3180CBBCA702DC72C99
D8F03E7D476481D5922265E73362B316 (file drops two more files)

Password : infected
regards,
icr ;)
Attachments
Password : infected
(714 KiB) Downloaded 87 times
  • 1
  • 36
  • 37
  • 38
  • 39
  • 40