TDSSkiller / TDL4

I do find articles 

 

But I also find Malware to run and install on my Computer in the real world (Not VM), whether it's Rootkits like TDL3 / TDL4, worms, Rogues, Trojans........................

If the infection is downloading more Malware from somewhere I let it download everything that it wants. Once completed I then set about breaking the Malware piece by piece to allow other programs to run and remove all the files and registry entries etc.

 

Like this thread for a user.

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/conime-virus/m-p/207475#M103235

 

Quads

TDL installers are still appearing that Norton does not detect once downloaded or just sitting on the Desktop.

 

They do have some sort of sense of humour this one is by Chuck Norris with the Firefox icon, pic below

 

6130i7D321E6DC1683DAE 

Quads

I wonder does Chuck Norris know he is now a Virus/TDL....:smileytongue: It could date the creator as Chucky boy was big in Videos in the 80s -90s

New TDL installer scanned

 

http://www.virustotal.com/analisis/4af125d675c7d66f77e1ecc4b19092ad1536b3a97ada7e79710fa66666fcc3b3-1277091118

 

It also downloads other files

 

http://www.virustotal.com/analisis/3fb245ab1427cb59a359fb2e910a3a8e7e4535114cf61469001d740305e97200-1277091502

 

Quads

Another installer

 

http://www.virustotal.com/analisis/900f4cb6b4d81a01ac6b3b385166a73e330254bdea35a524c64fa6379856bebb-1277123868

 

Quads

Hahaha

 

On testing I infected with TDL3 /4 and ran Norton Power Eraser,  It detected the driver, but it also detected legit files so I don't know the actual reason for the detection or if it just happened to be a fuke in between the False Positives

 

NPE restarted the PC an preceeded to deleted or try and delete the driver and Controlset registry entry for it. Like Norton previously trying to or succeeding to delete the driver like "atapi.sys"

 

 


 <Remediate DateAndTime="Saturday, 26 June 2010 Time: 09:52">

- <Infections_Selected_For_Remediation>
- <DRIVERS Count="1">
- <Driver ID="1">
- <File_Information>
  <Path>D:\WINDOWS\system32\DRIVERS\intelppm.sys</Path> 
  <FileVersion><></FileVersion> 
  <ProductVersion><></ProductVersion> 
  <ProductName><></ProductName> 
  <Company><></Company> 
  <Copyrights><></Copyrights> 
  <MD5>27FDB47F3F2EFE36F72C0971A03406C0</MD5> 
  <SHA256>D2C269B6686A9B8769BB5546FC711FDE33FBA400 9B96863D241CD6B9D64506CB</SHA256> 
  <FileSize>36352 bytes</FileSize> 
  </File_Information>
- <SideEffects Count="2">
  <File>D:\WINDOWS\system32\DRIVERS\intelppm.sys</File> 
  <RegistryKey>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\intelppm</RegistryKey> 
  </SideEffects>
  </Driver>
  </DRIVERS>
  <SERVICES Count="0" /> 
  <PROCESSES Count="0" /> 
  <LAYERED_SERVICE_PROVIDERS Count="0" /> 
  <DESKTOP_SHORTCUTS Count="0" /> 
  <AUTORUN_FILES Count="0" /> 
  <STARTUP_ITEMS Count="0" /> 
  <BROWSER_HELPER_OBJECTS Count="0" /> 
  <BROWSER_TOOLBARS Count="0" /> 
  <BROWSER_PLUGINS Count="0" /> 
  <SHELL_EXTENSIONS Count="0" /> 
  <EXPLORER_PLUGINS Count="0" /> 
  <DIRECTORIES Count="0" /> 
  <FILES Count="0" /> 
  <SYSTEM_SETTINGS Count="0" /> 
  </Infections_Selected_For_Remediation>
  </Remediate>
- <RemediationStatusPostReboot DateAndTime="Saturday, 26 June 2010 Time: 09:54">
- <Infections_Remediated>
- <DRIVERS Count="1">
- <Driver ID="1">
- <File_Information>
  <Path>D:\WINDOWS\system32\DRIVERS\intelppm.sys</Path> 
  <FileVersion><></FileVersion> 
  <ProductVersion><></ProductVersion> 
  <ProductName><></ProductName> 
  <Company><></Company> 
  <Copyrights><></Copyrights> 
  <MD5>27FDB47F3F2EFE36F72C0971A03406C0</MD5> 
  <SHA256>D2C269B6686A9B8769BB5546FC711FDE33FBA400 9B96863D241CD6B9D64506CB</SHA256> 
  <FileSize><></FileSize> 
  </File_Information>
- <SideEffects Count="2" Status="Remediate_Failed">
  <File>D:\WINDOWS\system32\DRIVERS\intelppm.sys</File> 
  <RegistryKey>\REGISTRY\MACHINE\SYSTEM\CurrentCon trolSet\Services\intelppm</RegistryKey> 
  </SideEffects>

 


 

 

On checking I found that actually the driver had gone, So I placed it all back.

 

intelppm.sys = Intel Processor Driver

 

BSOD territory  as we know from people on the forum previously and why Norton won't remove the driver for ".........Tidserv!inf" or shouldn't, unless a definition has been added causing the removal problem again

 

If Malware that infects /patches legit system files etc.  is suspected, Tidserv is just one group, zeloaces is one other off the top of my head. it is not advised to use Norton Power Eraser to remove the types of infections as bigger problems can occur with removing drivers Windows needs.

 

Quads

 

 

Symantec has tested NPE on TDL3 and NPE did detect the driver infected (I don't know which driver in this case).  NPE removed it and made the system (PC) unusable.

 

Quads

TDL3 (+) and the Symantec free download "TDSS Fixtool"

 

It does "REPAIR" older TDL3 variant's, doesn't delete the file in question. If it's a newer variant at least the tool stops and does not attempt to instead delete the file even if it notifies that basically it can't repair the file.

 

9032iBE56060ECEBF82CC 

 

 

Better than causing a non bootable Windows.

 

Quads

Boot.Tidserv, Tidserv.L  Bootkit

 

version 0.01, without x64 code (one dropper it seems), 
version 0.02 fully workable, (just few droppers)   buggy, can cause non booting XP
version 0.03 with changed infector (driver too), also few samples,   buggy, can cause non booting XP

 

Quads

Does TDDS tool detect latest TDDS?

What is the sceenshot above of and what it means??

 

And this page http://community.norton.com/t5/Norton-Internet-Security-Norton/Auto-Protect-Description-Help/m-p/297418/highlight/true#M128195

 

Quads

Looks like Boot.Tidserv (TDL4) Bootkit will cause patched / cracked versions of Windows 7 to become non bootable :smileyvery-happy: :smileyvery-happy: 

 

Quads

TDL4 is now being seen using or trying to use the Task Scheduler Privilege Escalation vulnerability as that appeared as seen with W32.Stuxnet 

 

Quads  

TDL4 has a version change, from 0.15 to 0.169

 

Can still cause this major problem

 

 


 

On running the installer  The  Computer shuts down or restarts. The computer will not POST or enter bios setup, will only show bios logo and then blinking cursor in top left no matter boot device selected.

 


 

 

Quads

Is Norton able to detect?

 

 

"Or" has the version change made it harder to detect!

There are still FakeAV (Rogues) appearing with the TDL2 like PRAGMA, _VOID, H8SRT group.

 

Looks like more in the Rogues like HDD Rescue, Windows Recovery and the defragmenters.

 

Quads

Looks like Microsoft is trying to combat TDL4.03 on x64 systems.

 

http://www.microsoft.com/technet/security/advisory/2506014.mspx

 

Quads

Looks like there is a new TDL4 that gets around the Microsoft patch, and stops TDSSkiller from completeing the scan.  Other tools may not detect the newbie or cannot cure it.

 

Quads

http://www.virustotal.com/file-scan/report.html?id=b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5-1304290662

 

Quads

Infected the PC with a new sample of Tidserv / TDSS /TDL4

 

 

I downloaded the FixTDSS tool for the most up to date version from the site http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99 It did run the scan but "No Infection Found" was the result.
TDSSkiller from that download site got stuck at 80% on startup.
New TDL4 TDSSkiller stuck.jpg
The updated TDSSkiller (not from the download page, not updated with new version yet) was able to run, detect and cure the new samples.


TDSSkiller 2.5.0.0.jpg

 

 

 

One sample though places a randomly named file with registry key so that when the MBR gets cured on the restart (or after using a CD/DVD to fix) on the startup the MBR gets reinfected again, and again and again. The registry key and /or random file has to be dealt with first, before dealing with the MBR, otherwise you would be going around in circles somewhat.

 

Quads