Not what you were looking for? Ask our experts!
Reply
Bot Obliterator
Quads
Posts: 16,541
Registered: ‎07-21-2008

Re: TDSSkiller / TDL4

[ Edited ]

One version on TDSS (Tidserv) creates these entries and fools some removal programs in to thinking a Windows file like "userinit.exe" or "kernel32.dll" is infected when the Windows file seems clean Although it could have tried to infect a driver but failed due to some sort of flaw in the file I got. A bug inside a bug.

 

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[file name].exe
C:\WINDOWS\system32\ernel32.dll
C:\System Volume Information\_restore{3CE24A12-6763-49ED-BA82-A731C C696DD0}\RP1\A0000056.dll
C:\WINDOWS\system32\spool\prtprocs\w32x86\[random].dll  (can be a few created in that folder)
C:\documents and settings\[username]\application data\[random].exe
Scheduler change: Tasks: d:\windows\tasks\mswd-[random].job
DNS Changer
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS3\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198
Quads

 

Super Spam Squasher
mo
Posts: 1,707
Registered: ‎08-18-2008

Re: TDSSkiller / TDL4

Good to know they make mistakes as well...:smileysurprised:

Cheers Mo
XP home,SP3
NIS2012
Bot Obliterator
Quads
Posts: 16,541
Registered: ‎07-21-2008

Re: TDSSkiller / TDL4

Mo

 

I'm not sure is a bug or with someone trying to change things but has left something out of the installer (programming) but this one is to easy for those who can deal to TDL 2, 3, 4 successfully

 

I got another installer from a Malware researcher I ran the installer and it's the same,  with  "TDL with a twist".

 

It's a matter of whether this is like a beta or first build of this change and so will only get better over time.

 

Quads

 

 

Super Spam Squasher
mo
Posts: 1,707
Registered: ‎08-18-2008

Re: TDSSkiller / TDL4

Ok I will sound like a dunce but you meant there was a mistake in the TDL removal software or a mistake/programming error in the TDL itself...sorry if I am a bit slow...:smileywink:

Cheers Mo
XP home,SP3
NIS2012
Bot Obliterator
Quads
Posts: 16,541
Registered: ‎07-21-2008

Re: TDSSkiller / TDL4

A mistake in the TDL, TDSS, Tidserv malware itself.

 

Quads

Super Spam Squasher
mo
Posts: 1,707
Registered: ‎08-18-2008

Re: TDSSkiller / TDL4

Thanks for making it clearer.Do you think they know it's there and will correct it?

Cheers Mo
XP home,SP3
NIS2012
Contributor
TracyLCraw
Posts: 31
Registered: ‎06-01-2010

Re: TDSSkiller / TDL4

I'm starting to think these things are like unraveling DNA code...  :smileyvery-happy:

Norton Fighter
mdturner
Posts: 5,308
Registered: ‎04-11-2008

Re: TDSSkiller / TDL4


TracyLCraw wrote:

I'm starting to think these things are like unraveling DNA code...  :smileyvery-happy:


Somewhat similar:smileyhappy:

We look forward to the time when the Power of Love will replace the Love of Power. Then will our world know the blessings of peace. ~William Ewart Gladstone

Bot Obliterator
Quads
Posts: 16,541
Registered: ‎07-21-2008

Re: TDSSkiller / TDL4

[ Edited ]

Articles on TDL (1,2,3 & unofficial 4) there are other names it's known as.

 

Has hit number 1

 

http://www.infoworld.com/t/malware/four-year-old-rootkit-tops-the-charts-pc-threats-791 

 

Pesky rootkit looks like it's getting refined for attacks

 

Remember Alureon, the pesky rootkit, which hit the Windows enterprise scene in 2006 and absolutely bum rushed some Windows systems earlier this year?

Microsoft does and will for quite some time. The rootkit, which also goes by some of its technical aliases -- TDSS, Zlob and DNSChanger -- has to date infected nearly 2 million Windows systems.

Alureon is the guest of honor rootkit in Microsoft's recently released May Threat Report. Alureon accounted for 18 percent of all malware-infected Windows PCs in May.

This is Alureon's encore performance as the rootkit du jour in the April Threat Report.

Alureon is considered the culprit for the "screen of death," and system crash issues widely reported when users installed Microsoft Security Bulletin MS10-015.

Microsoft Malware Prevention Center staffers Vishal Kapoor and Joe Johnson said there were "several changes to the design of the rootkit to avoid detection and cleaning, revealing that the rootkit is still under active development and distribution."

This means that Alureon is going to be around for a while yet

 

By Jabulani Leffall

 

 

 

At least it can't beat Quads for PC's that turn up at my door :smileyvery-happy: :smileyvery-happy:

Bring on the next change 

 

Quads

Contributor
TracyLCraw
Posts: 31
Registered: ‎06-01-2010

Re: TDSSkiller / TDL4

Nice article that you linked to thanks!

 

Quads to you play detective with this stuff?