[EP_X0FF]

This remembers how was revealed Rustock.C in 2007 :) I think we all should just wait. Undetectable rootkits not exists.
According to what we know, dropper is the primary target.

[rossetoecioccolato]

Bet rossetoecioccolato will love this part.

Not surprising given antivirus's stellar performance at finding new malware. What interests me more is that the program which you display runs without having to rename it or doing anything to disguise its presence. TDL3 doesn't care! He's got nothing to hide. I wonder...

[SecConnex]

^^ It's not like that. Teasing with knowledge is not the aim here. We are all collaborating our efforts to focus on figuring out what this infection routine is all about.

[GamingMasteR]

Take it easy guys, no one here has the dropper yet !
I'm sure it will be shared once it's in our hands .

Regards.

[EP_X0FF]

This data collected by one person (a_d_13) and shared between trusted people, not simple because he want to write an "article" or whatever.

Things shared on principles of trust can be published only with agreement of original researcher.

Take a rest guys, TDL will not eradicate itself today or tomorrow. It will be with us for at least few years.

[Jaxryley]

Anything new about this one?

dg.exe - 6/40 (15.0%) - MD5 : 77731cef16d8b443dc3c1da267642040
http://www.virustotal.com/file-scan/rep ... 1282727178

hxxp://www.musicomm.ca/.21amo/?getexe=dg.exe

dg.rar

Pass:
infected
(82.79 KiB) Downloaded 74 times

[EP_X0FF]

Classical TDL3

[main]
version=3.273
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
botid=xxx
affid=xxxx
subid=0
installdate=25.8.2010 9:20:18
builddate=25.8.2010 9:0:5
rnd=1960408961
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941

[EP_X0FF]

This thread contains information about TDL3 rootkit, split from TDL rootkit.

[EP_X0FF]

TDL3 is back as remake from TDL4 authors.

[main]
version=1.1
botid=3f1b98c6-07dd-4f7d-a650-30bb6f39b0a3
affid=10008
subid=1
installdate=10.3.2011 4:3:4
builddate=8.3.2011 19:35:6
[injector]
*=cmd.dll
[cmd]
servers=hxxp://winupdateserver.su/version;hxxp://softwareupdateservice.ru/version;hxxp://winupdateservices.com/version;hxxp://updateconnection.com/version;hxxp://cloudnanoconnnection.info/version
version=1.0

Servers are not secured. Grab the data.

insert into incoming_log(id1, id2, guid, ver, dom, client_ip, timestamp, country, type) values (1, 1, , , , 213.229.84.96, 1298585207, GB, 1);

Infinite loop of blue screens after reboot.

New tdlcmd attached. It's fully redesigned. Only three commands left: ConfigWrite, DeleteSpecifiedFile, DownloadFile.

[EP_X0FF]

Bamital extracted from TDL3 command & control server, 2302 items.

Multipart archive divided on 9 parts.
pass: malware

_if chrome.exe firefox.exe opera.exe iexplore.exe c h r o m e . e x e f i r e f o x . e x e o p e r a . e x e i e x p l o r e . e x e GET HTTP/1.1
Host: &version= Run Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry Flag
GetUserGeoID SYSTEM\CurrentControlSet\Services\sr\Parameters SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore FirstRun DisableSR \user32.dll zx.dll z x . d l l spoolsv.exe /message.php .co.cc .co.cz .info .org \updhlp.dat open -new-window <script src="http:// " type="text/javascript"></script> Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
19792079 1979207932 [%subid] <d> </d> <m> </m> <e> </e> <f> </f> <j> </j> <c> </c> <u> </u> <t> </t> <p> </p> <k> </k> <b> </b> <p> </p> <k> </k> [%key] [%subid] </ul> google.com
/ Date: X55 Fut 2999 </title> <r> </r> **http%3a// User-Agent: Accept-Encoding: Content-Type: text/html GET /search GET /s? google. search.yahoo.com bing.com
?subid= &id= \temp.ini \user32.dll TimeGetWork Uses32 ExitTime Ver Decode Domen Flags \admin.txt .gif .jp .png .js .ico .css .aspx / iexplore.exe .upd & q= p= text= "> % <d> </d> <s> </s> <i> </i> &HTTP_REFERER= \ PROCESSOR_IDENTIFIER %3f ? &os= &br= IE Op FF Ch &flg= &ad= &ver= \server.dat \Windows \winhelp.exe Exists555 Explorer555 Global\EventHlpFile
Global\EventHlpFile2 HlpMap555

h3 class="r"><a href="http:// <h3 class=r><a href="http:// <h3 class="r"><a href=" <li class=ta <li class="
ta href=" title> - porno yschttl spt" href="http:// <div><a href="http://search.yahoo.com/r/_ylt <div><a href="http://rds.yahoo.com/_ylt , <em> </em> <a href="http:// sb_tlst"><h3><a href="http:// class="sb_ads <a href="http:// " <em> </em> 19091979 \Server HTTP/1.1 302 Moved Temporarily
Location: Connection: keep-alive
Content-Length: 0
Connection: close
HTTP/1.1 200 OK
<html><head><script language="JavaScript">function f(){var form = document.forms["rr"];form.submit();}if(document.cookie==""){if (history.length!=0) document.cookie="k=1";window.onload=f;}else{document.cookie="k=1;expires=Mon, 01-Jan-2001 00:00:00 GMT";history.back();}</script></head><body><form action="http:// " method="post" name="rr"></form></body></html> 8 / <html><head></head><body><script type="text/javascript">location.href="http:// ";</script></body></html> N
0 <title> </title> <meta keyword > </head> Content-Length: Pragma: no-cache
Accept-Encoding: </body> </html> Host: Referer: http:// gzip sdch none HTTP/1. 200 OK _