|
Rootkit TDL 3 |
Post Reply 
|
Page <1 2728293031 70> |
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
bootsect 
Senior Member 
Joined: 24 December 2009 Location: kernelmode.info Online Status: Offline Posts: 682 |
 Post Options
 Quote Reply
 Topic: Rootkit TDL 3Posted: 14 February 2010 at 1:11pm |
|
Why you are so scared by this rootkit? It maybe already installed on your PC.
|
|
 |
|
|
PROROOTECT
Senior Member
Joined: 06 April 2008 Location: Fort Lee, NJ .. Online Status: Offline Posts: 559 |
Post Options
Quote Reply
Posted: 14 February 2010 at 12:46pm |
|
Dear Sir, surely you're joking ... 'Not click on anything. Just shut down ...'?
The Truth is out there.
P.
|
|
|
I remember:GMER 1.0.15.15281|XueTr 0.32|Kernel Detective 1.3.1|RootRepeal 1.3.5|..Sarah ah! He remembers me:AntiVir|I'm a stranger HERE ..
|
|
|
|
|
nullptr
Senior Member
Joined: 06 April 2008 Location: Australia Online Status: Offline Posts: 553 |
Post Options
Quote Reply
Posted: 14 February 2010 at 12:03pm |
Yes it can still enter through your power supply, so best turn pc off and leave it off.  |
|
|
|
|
PROROOTECT
Senior Member
Joined: 06 April 2008 Location: Fort Lee, NJ .. Online Status: Offline Posts: 559 |
Post Options
Quote Reply
Posted: 14 February 2010 at 11:51am |
|
Derisive (?) question: If I have all Ports closed, is it possible to all TDL to enter on my tower?
Or not?..
 P.
|
|
|
I remember:GMER 1.0.15.15281|XueTr 0.32|Kernel Detective 1.3.1|RootRepeal 1.3.5|..Sarah ah! He remembers me:AntiVir|I'm a stranger HERE ..
|
|
|
|
|
Meriadoc
Senior Member
Joined: 22 August 2006 Online Status: Offline Posts: 233 |
Post Options
Quote Reply
Posted: 14 February 2010 at 11:16am |
|
update
[main] quote=f**k damnation, man! f**k redemption! We are God's unwanted children! version=3.25 installdate=14.2.2010 11:14:36 builddate=14.2.2010 0:45:2 [injector] *=tdlcmd.dll [tdlcmd] servers=https://a57990057.cn/;https://94.228.209.145/;https://94.228.209.146/ wspservers=http://c36996639.cn/;http://c58446658.cn/ popupservers=http://m2121212.cn/ version=3.642 delay=7200 clkservers=http://mfdclk001.org/ [tasks] tdlcmd.dll=http://www.virustotal.com/analisis/9b615a8c51bf5288b2ed9620e13ddeb9a5755e8357bb069a0240a3af437c47d8-1266150225 dropper http://www.virustotal.com/analisis/921a67b240ac92a2a82d930195e0200e75f2d9b58847680c6ea643e4ed5d2463-1266144890 Duke Nukem 3D also in strings :) tdlcmd.dll http://www.virustotal.com/analisis/8ba21480c64ba61b37eaa4f08bf02b5abba8ca35c6979d33620b91553b3fdbec-1266146279 tdss killer not removing Edited by Meriadoc - 14 February 2010 at 1:44pm |
|
|
|
|
Meriadoc
Senior Member
Joined: 22 August 2006 Online Status: Offline Posts: 233 |
Post Options
Quote Reply
Posted: 14 February 2010 at 10:55am |
|
some updates on my list today
|
|
|
|
|
PROROOTECT
Senior Member
Joined: 06 April 2008 Location: Fort Lee, NJ .. Online Status: Offline Posts: 559 |
Post Options
Quote Reply
Posted: 14 February 2010 at 10:54am |
|
Symantec article here: http://www.symantec.com/connect/blogs/tidserv-and-ms10-015
'In conclusion, ... a threat may be, it may be given avay by ...'.
... and believe.
EDIT: look on YouTube here: http://www.youtube.com/watch?v=QK4rF2EGa5E
... and believe.
P. Edited by PROROOTECT - 14 February 2010 at 3:13pm |
|
|
I remember:GMER 1.0.15.15281|XueTr 0.32|Kernel Detective 1.3.1|RootRepeal 1.3.5|..Sarah ah! He remembers me:AntiVir|I'm a stranger HERE ..
|
|
|
|
|
bootsect
Senior Member
Joined: 24 December 2009 Location: kernelmode.info Online Status: Offline Posts: 682 |
Post Options
Quote Reply
Posted: 14 February 2010 at 3:34am |
|
z00clicker TDL3 variant.
http://www.virustotal.com/analisis/323b014cdccdfd99287a549be55ac81588c3b82718a68e8736b26d39605cc512-1266117872
z00clicker.dll (internals isn't changed since last analysis) http://www.virustotal.com/analisis/b65372f5912e01f63bbcf727bee6662115a4edfa93d1682deee1f18acdfb3bc9-1266118308 driver-loader http://www.virustotal.com/analisis/323b014cdccdfd99287a549be55ac81588c3b82718a68e8736b26d39605cc512-1266118381 |
|
|
|
|
bootsect
Senior Member
Joined: 24 December 2009 Location: kernelmode.info Online Status: Offline Posts: 682 |
Post Options
Quote Reply
Posted: 14 February 2010 at 2:04am |
|
12_Monkeys is right. Read Symantec blog. TDL3 infection uses some hardcoded values, after new update they've changed, TDL3 now simple making system unbootable.
TDL3 from keygens site (3 days old, they don't want to update) http://www.virustotal.com/analisis/de27102c6fa17025a618a800fd8044479c47d8811d5d54e778ad98e67cc69631-1266115805
Edited by bootsect - 14 February 2010 at 2:53am |
|
|
|
|
12 Monkeys
Newbie 
Joined: 05 August 2008 Online Status: Offline Posts: 16 |
Post Options
Quote Reply
Posted: 13 February 2010 at 4:55pm |
|
You don't say! I think the people want to use again their PCs after this update, or?
It was clear that you can't understand the connection. @Mr. Advanced Rootkit Expert It is always better to post something and then think about it. Go on, you are on the right way. |
|
|
|
|
Post Reply
|
Page <1 2728293031 70> |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
