TDSSkiller / TDL4

Archive
1

TDSSkiller now correctly detects and cures TDL4  (as of Today)

 

I tested only like 10 minutes ago, The scan checks via the raw I/O.

 

Screenshot below, plus attached to this post is the log of the scan

 

5674i1F26ADBB805CF776

 

 

Be aware though if you are infected with more than TDL3 / TDL4,  like the thread for houston,

http://community.norton.com/t5/Other-Norton-Products/Ads-popping-up-randomly-and-cannot-open-task-manager/td-p/229633

 

This may mean that TDSSkiller may not work due to other Malware blocking it. Other Malware may have to be stopped first and maybe removed before using TDSSkiller.

 

Multiple infections have to be stopped a lot of the time in the correct order of steps.

 

Quads

 

 

2

The latest TDL (Tidserv)  I have found, 

 

http://www.virustotal.com/analisis/1531b39e217bbac673b621b0f6a5f020ebae48a216832cf3d038ff65d46d1883-1274240886

 

I have the list of servers (not posted here)

 

Quads

3

UPDATE:

 

After infecting the PC with the latest installer,

 

TDSSkiller, Did not detect the driver

TDSS Remover,  Did not detect the driver

 

http://www.virustotal.com/analisis/474509fae08f6040fc69366d628ac7e23645e53e41d3882f2375d2773196daf4-1274276299

 

Intrusion Prevention 

 

5726i9777F50E47B96998

 

 

For some reason, (maybe something went wrong, but I had to swap "kernel32.dll" over to.

 

Quads

4

I did find a product that doesn't need to be installed scanned and detected the infected swapped drivers,

 

One Problem, it deleted the drivers while still scanning, didn't wait and ask the user if the files were to be deleted, Just deleted.

 

 Quads

5

Thanks Quads

Does not look like they are slowing down in producing these things.:smileysad:

6

It the "Backdoor.TDSS.2459" variant  that TDSSkiller and TDSS Remover can't detect

 

Quads

 

 

7

There are Rogues one being "Data Protection" that come with a TDL2 variant "PRAGMA"

 

 

 

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA]
"slrd"=dword:00000018
"slrm"=dword:00000005
[HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\injector]
"explorer.exe"="pragmaserf"
"iexplore.exe"="pragmaserf;pragmabbr"
"firefox.exe"="pragmabbr"
"safari.exe"="pragmabbr"
"chrome.exe"="pragmabbr"
"opera.exe"="pragmabbr"

 

http://www.virustotal.com/analisis/d159f0059cfb2f1919cd4017e197a9167eca556fd2d32e02fea04ac7c1fd7bb2-1274670145

 

http://www.threatexpert.com/report.aspx?md5=0d41357d15d5cff6ac74a81fd314779d

 

 

With the ability to try and uninstall Security Software as part of the rogue

 

Quads

 

 

 

8

Interesting I was reading the Symantec "Backdoor.Tidserv"  Writeup

 

Warning, it's a mix and match of different TDL2's and TDL3's 

 

Including this entry

 

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys" which actually belongs to "Backdoor.Tidserv.J"

 

I can see how people reading the writeup are going to get confused, seeing the different variants in one writeup. When a lot of the variants have to be looked at separately due to differences 

Including differences in the removal procedures and programs used.

 

Sure a PC may be infected with more than one TDL2 (more than on set of files and registry entries) or TDL2 +TDL3. But the removal of them have to be looked at differently.

 

TDL2's   can have it's files and registry entries removed / deleted (correctly),               TDL3's this is not the case

TDL3's   the infected driver (disk controller)  has to be swapped with a clean copy,    TDL2's this is not the case

 

TDL3 Infected drivers detected as "Backdoor.Tidserv!inf"

 

Quads

9

Nice work , Quads

10

TDSSkiller has been updated again

 

Quads

11

One version on TDSS (Tidserv) creates these entries and fools some removal programs in to thinking a Windows file like "userinit.exe" or "kernel32.dll" is infected when the Windows file seems clean Although it could have tried to infect a driver but failed due to some sort of flaw in the file I got. A bug inside a bug.

 

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[file name].exe
C:\WINDOWS\system32\ernel32.dll
C:\System Volume Information\_restore{3CE24A12-6763-49ED-BA82-A731C C696DD0}\RP1\A0000056.dll
C:\WINDOWS\system32\spool\prtprocs\w32x86\[random].dll  (can be a few created in that folder)
C:\documents and settings\[username]\application data\[random].exe
Scheduler change: Tasks: d:\windows\tasks\mswd-[random].job
DNS Changer
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS3\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198
Quads

 

12

Good to know they make mistakes as well...:smileysurprised:

13

Mo

 

I'm not sure is a bug or with someone trying to change things but has left something out of the installer (programming) but this one is to easy for those who can deal to TDL 2, 3, 4 successfully

 

I got another installer from a Malware researcher I ran the installer and it's the same,  with  "TDL with a twist".

 

It's a matter of whether this is like a beta or first build of this change and so will only get better over time.

 

Quads

 

 

14

Ok I will sound like a dunce but you meant there was a mistake in the TDL removal software or a mistake/programming error in the TDL itself...sorry if I am a bit slow...:smileywink:

15

A mistake in the TDL, TDSS, Tidserv malware itself.

 

Quads

16

Thanks for making it clearer.Do you think they know it's there and will correct it?

17

I'm starting to think these things are like unraveling DNA code...  :smileyvery-happy:

18
TracyLCraw wrote:

I'm starting to think these things are like unraveling DNA code...  :smileyvery-happy:

Somewhat similar:smileyhappy:

19

Articles on TDL (1,2,3 & unofficial 4) there are other names it's known as.

 

Has hit number 1

 

http://www.infoworld.com/t/malware/four-year-old-rootkit-tops-the-charts-pc-threats-791 

 

Pesky rootkit looks like it's getting refined for attacks

 

Remember Alureon, the pesky rootkit, which hit the Windows enterprise scene in 2006 and absolutely bum rushed some Windows systems earlier this year?

Microsoft does and will for quite some time. The rootkit, which also goes by some of its technical aliases -- TDSS, Zlob and DNSChanger -- has to date infected nearly 2 million Windows systems.

Alureon is the guest of honor rootkit in Microsoft's recently released May Threat Report. Alureon accounted for 18 percent of all malware-infected Windows PCs in May.

This is Alureon's encore performance as the rootkit du jour in the April Threat Report.

Alureon is considered the culprit for the "screen of death," and system crash issues widely reported when users installed Microsoft Security Bulletin MS10-015.

Microsoft Malware Prevention Center staffers Vishal Kapoor and Joe Johnson said there were "several changes to the design of the rootkit to avoid detection and cleaning, revealing that the rootkit is still under active development and distribution."

This means that Alureon is going to be around for a while yet

 

By Jabulani Leffall

 

 

 

At least it can't beat Quads for PC's that turn up at my door :smileyvery-happy: :smileyvery-happy:

Bring on the next change 

 

Quads

20

Nice article that you linked to thanks!

 

Quads to you play detective with this stuff?