[EP_X0FF]

Downloader coming from tdss sites

VirusTotal
http://www.virustotal.com/analisis/853f ... 1269148478

Contains inside list of malware to download and self-deletion code.

> nul
/c del
COMSPEC
%skzwtguher.php?adv=adv447&code1=%s&code2=%s&id=%d&p=%s
%sddok.exe
%siolylzjjg.php?adv=adv447
%sbwadvg.exe
%sxekgqer.php?adv=adv447
%sstrcul.exe
%sekhrrfst.php?adv=adv447
%snxbtc.exe
%sybxliiv.php?adv=adv447
%splfyaqpj.exe
%swczjgtqqnk.php?adv=adv447
%snfylrs.exe
%sadmwk.php?adv=adv447
%svqaq.e
wZZ
Open
> nul
/c del
COMSPEC
%skzwtguher.php?adv=adv447&code1=%s&code2=%s&id=%d&p=%s
%sddok.exe
%siolylzjjg.php?adv=adv447
%sbwadvg.exe
%sxekgqer.php?adv=adv447
%sstrcul.exe
%sekhrrfst.php?adv=adv447
%snxbtc.exe
%sybxliiv.php?adv=adv447
%splfyaqpj.exe
%swczjgtqqnk.php?adv=adv447
%snfylrs.exe
%sadmwk.php?adv=adv447
%svqaq.exe
%stjgcdnnak.php?adv=adv447
%svqovnpnr.exe
%sgmvsjkh.php?adv=adv447
%slnfl.exe
%stfllijwxgu.php?adv=adv447
%sxsgv.exe
%setqrnbbym.php?adv=adv447
%sldrldu.exe
%syekhhiijfg.php?adv=adv447
%sbirqakky.php?adv=adv447
_hxxp://bastocks.com/maczjwtq/
_hxxp://aahydrogen.com/maczjwtq/
ver52

[MarcElBichon]

New version (2.2.8.1) of TDSS Killer today :
http://support.kaspersky.com/downloads/ ... killer.zip

[Meriadoc]

Waiting for update :)

sample of strings from latest sample

File: keygen_dmp
MD5: b3f6f4ee6b66d3a61a2983dfcedd176c
!This program cannot be run in DOS mode.
DRich
.text
`.rdata
@.data
.tdl
.rsrc
@.reloc
kernel32.dll
VirtualAlloc
GetModuleHandleW
LocalAlloc
FreeLibraryAndExitThread
GetShortPathNameA
GetCurrentDirectoryA
HeapCreate
Sleep
??1bad_cast@@UAE@XZ
1/142
3;3P3n3x3
then
priest
plague
ethe
skin
ewhite;
hspoke
skin,
plague;
ereddish-white,
boil,
IDDQD!
IDDQD!
IDDQD!

bible and hidden code references, IDDQD - DOOM code, God mode/invincible :)

[Meriadoc]

Rebuilds fooling av well.

keygen VT 3/42

http://www.virustotal.com/analisis/5bda ... 1269377661

[Jaxryley]

Code: Select all

hxxp://91.212.226.182/cut4765.exe

Result: 21/42 (50%)
http://www.virustotal.com/analisis/7a5d ... 1269427704

Pass infected
hxxp://rapidshare.com/files/367530544/cut4765.rar

[EP_X0FF]

hxxp://91.212.226.182/cut4765.exe

Hello and thank you for the sample :)

It is 6 days old TDL3.

[main]
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
version=3.273
installdate=24.3.2010 11:40:28
builddate=19.3.2010 13:15:0
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://873hgf7xx60.com/;https://34jh7a ... 61.20.132/
wspservers=http://lk01ha71gg1.cc/;http://zl091kha6 ... 4555j.com/
popupservers=http://zxclk9abnz72.com/
version=3.74

Long time nothing new from TDL crew :)

Regards.

[vernalex]

First I would like to thank you all for your work and any information you have posted. I originally found the SysInternals forum on TDL3 and I found the link to this forum from there. This information has been wonderfully useful and saved me a lot of time.

But, I also have a question. Does anyone know how TDL3 infects computers?

I've seen with other malware programs infect computers with a browser image that purports to be a virus scanner (such as Antivirus 2009, Antivirus 2010, General Antivirus, Security Antivirus, Security Tool, etc. as in the screenshot) and they convince the user to install an executable that then compromises their machines. Has anyone seen a computer comprised with TDL in this way (social engineering)? Or are they installing through security vulnerabilities (unpatched Adobe Reader, Flash, Java, etc. exploits)?

So, while I now have the tools to cure these infections I am curious as to how to prevent them because where I work we have Symantec Antivirus and it seems mostly useless in fighting the infections. If you have any information about this then please let me know. And if you have a link of a website that tries to infect you that would be most useful too (good idea to message me with it instead of posting it though so someone doesn't accidentally infect themselves).

Thank you! :)

Not saved from a TDL infection, but does TDL infect a computer in a similar way?
malware.png (157.82 KiB) Viewed 583 times

[EP_X0FF]

Hi,

generally tdl3 comes as:

1. video codecs installers
(video jokes that requires download and installing additional video codecs, this usually bypasses Vista/7 User Accounts Control, because user allows installation, some sort of social engineering)

NOT a tdl3, but example for a conception
_hxxp://video-info.info/show.php
payload, so called video codec - Trojan Downloader http://www.virustotal.com/analisis/222e ... 1269451721

2. payload of some fake av's
(they download tdl3 rootkit as "updates")

3. keygens and cracks
(they comes as keygens/cracks, sometimes as addition with legitimate software, while they are eventually not, good example keygen.name drop site - every file from this site is malware)

4. installing through exploits
(user accessing web site with compromised web-browser, site executing exploit, payload - downloading and starting rootkit dropper)

To avoid tdl3 (as well as many others infections)

1. Do not use IE. Never. Even if 11 version will be claimed as world most secured browser. Internet Explorer is the number 1 in priority for malware researches and writers.
2. Do not start anything you don't know what is it - if you really need this - try before running it on virtual machine.
3. Check suspicious files before executing through free online scanners such as VT/VirScan
4. Download and always install updates for software (especially browsers, Adobe products) and operation system.
5. If it is possible then switch to most secured x64 Windows version which is currently Windows 7 (UAC turned on, MSE/WFirewall installed for example). Yes, it is just a question of time, when malware will migrate to x64 but currently it is best practice against most of kernel mode rootkits such as TDL3.

Regards.

[markusg]

now normans tdss cleaner can handle all new versions.
and also tdl2

[EP_X0FF]

Yes I can confirm. Updated Norman TDSS Cleaner was able to detect and remove TDL 3.273. First post updated.