Special thanks to kernelmode.info (and @GiuseppeBonfa "evilcry") for the sample.
Related research and news articles
- TDL3: The Rootkit of All Evil? * Account of an Investigation into a Cybercrime Group by Aleksandr Matrosov, senior virus researcher Eugene Rodionov, rootkit analyst
- Rootkit TDL 3 (alias TDSS, Alureon) from http://www.kernelmode.info/forum
- TDL3 rootkit x64 goes in the wild by Marco Giuliani
- Brief dynamic analysis of most recent TDL3 dropper screenshot Chae Jong Bin @2gg
- Tidserv 64-bit Goes Into Hiding - Symantec
- How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)? - new
- send more, I will add
Download as a password protected archive (contact me if you need the password). The package includes:
- custom_unpacked.zip
- MBR_TDL_Files.rar files dropped by the infection, his dropper, and an offline dump of the MBR.
- tdl3_dropper.zip
- Readme (please read)
TDL3 dropper compatible with x86 and x64 systems
File name: custom_exe
http://www.virustotal.com/file-scan/report.html?id=053c111b9e1be52256bb33e2622f71a2006ab06a6324fc80474dcb9e299e102e-1282910774
Submission date: 2010-08-27 12:06:14 (UTC)
Current status: finished
Result: 21 /40 (52.5%)
AhnLab-V3 2010.08.27.00 2010.08.26 Dropper/Win32.TDSS
AntiVir 8.2.4.46 2010.08.27 TR/Alureon.DX
Avast 4.8.1351.0 2010.08.27 Win32:Malware-gen
Avast5 5.0.594.0 2010.08.27 Win32:Malware-gen
AVG 9.0.0.851 2010.08.27 Generic18.BZWR
BitDefender 7.2 2010.08.27 Trojan.Generic.4657531
DrWeb 5.0.2.03300 2010.08.27 BackDoor.Tdss.4005
Emsisoft 5.0.0.37 2010.08.27 Trojan.Win32.Tdss!IK
F-Secure 9.0.15370.0 2010.08.27 Trojan.Generic.4657531
GData 21 2010.08.27 Trojan.Generic.4657531
Ikarus T3.1.1.88.0 2010.08.27 Trojan.Win32.Tdss
Jiangmin 13.0.900 2010.08.27 TrojanDropper.Agent.auzt
Kaspersky 7.0.0.125 2010.08.27 Trojan-Dropper.Win32.TDSS.fsa
McAfee 5.400.0.1158 2010.08.27 DNSChanger!eo
Microsoft 1.6103 2010.08.27 Trojan:Win32/Alureon.DX
NOD32 5401 2010.08.27 Win32/Olmarik.ADA
nProtect 2010-08-27.01 2010.08.27 Trojan-Dropper/W32.Agent.126464.Q
PCTools 7.0.3.5 2010.08.27 Backdoor.Tidserv
Prevx 3.0 2010.08.27 Medium Risk Malware
Symantec 20101.1.1.7 2010.08.27 Backdoor.Tidserv.L
TheHacker 6.5.2.1.356 2010.08.26 Trojan/Dropper.Agent.cuxr
Additional informationShow all
MD5 : 93c9658afb6519c2ca69edefbe4143a3
Virustotal Comments:
TDL3 dropper that is able to infect x86 and x64 systems. On x64 it uses a custom boot loader stored in the MBR that loads the kernel mode code without requiring a valid digital signature. Happy reversing :).
Hello
ReplyDeleteI would like the password please :D
I need it to test a antivirus aplication.
10x
Please email me
ReplyDeleteGreat !
ReplyDelete