[Alex]

It looks that Symantec's FixTDSS is able to remove TDL3 - tested on Jaxryley's sample.

[Jaxryley]

Another sample:

setup.exe - 6/ 43 - MS Trojan:Win32/Alureon.EC - MD5 : fca85a3b994cabac0b1c3d179c783e62
http://www.virustotal.com/file-scan/rep ... 1284711125

Dropped dll:
M9g1iQG.dll - 3/ 42
http://www.virustotal.com/file-scan/rep ... 1284711217

setup exe and DLL.rar

(249.76 KiB) Downloaded 81 times

[nullptr]

I like how the above sample writes debug text to the drive root. (debug.txt) :lol:

1312 DllMain|module: \\?\globalroot\lhjwnnds\vltmjrsb\tdlcmd.dll version: 0.2
1312 isProcess|iexplore.exe
1312 isProcess|isBrowser: iexplore.exe TRUE
1312 ModuleAdd|tdlcmd (00260000): \\?\globalroot\lhjwnnds\vltmjrsb\tdlcmd.dll
1312 HOOKWSPStartup|start hooking 1312
1312 initsettings|botid: xxxxxxxxxxxf04a530b49a092c7d006de7e affid: 93035 socks: 0 reboots: 2 uptime: 0 version: 0.2
1312 HOOKDnsQuery_W|DnsQuery_W
1312 HOOKDnsQuery_W|DnsQuery_W
1312 CheckDomain|start CheckDomain http://www.google.com.au
1312 CheckDomain|CheckDomain(http://www.google.com.au) 0x635d7d4a
1312 _strformat|alloced: 30 printed: 25
1312 ClickerSendCheck|url: http://www.google.com.au/ ref: (null)

URL redirection in latest samples with tdlcmd v 0.2 seems a bit hit and miss. Search tdsskiller, click the kaspersky link. Sometimes it takes a couple of tries to get there.

[EP_X0FF]

Seems to be last days of TDL3 :) Shutdown is near.

[xfoo()]

hi,

new tdl4 version appeared, 0.03 (cfg.ini)
main change is the injected code by apc,
for example after execute the \\?\globalroot\\.. string is overwritten by zeros,
so dumper won't work. Probably tdl authors read the forum too.

xfoo()

[markusg]

can you upload the sample?

[LeastPrivilege]

new tdl4 version appeared, 0.03 (cfg.ini)

Hello,
Was this on a x86 or x64 version of Windows? Can you obtain any samples?

[Fabian Wosar]

Hi guys,

Attached you find the new dropper that was mentioned a few posts above. Unfortunately the only submitted sample we got so far is in form of a dropped DLL. For convenience I have included the original sample we got as well as a reconstructed dropper (DLL file converted back to an executable). The dumped files from the encrypted storage are included as well.

If anyone wants an updated version of the dump tool please drop me a PM.

Config:

Code: Select all

[main]
version=0.03
aid=40124
sid=0
builddate=4096
rnd=179605362
[inject]
*=cmd.dll
[cmd]
srv=https://nichtadden.in/;https://91.212.226.67/;https://li1i16b0.com/;https://zz87jhfda88.com/;https://n16fa53.com/;https://01n02n4cx00.cc/;https://lj1i16b0.com/
wsrv=http://zl00zxcv1.com/;http://zloozxcv1.com/;http://71ha6dl01.com/;http://axjau710h.com/;http://rf9akjgh716zzl.com/;http://dsg1tsga64aa17.com/;http://l1i1e3e3oo8as0.com/;http://7gafd33ja90a.com/;http://n1mo661s6cx0.com/
psrv=http://clkh71yhks66.com/
version=0.14

[CloneRanger]

@ Fabian Wosar

Thanks for "Dropping" by ;)

[EP_X0FF]

There is no need to post analysis tools in that thread, obviously that help to bypass them.