Clicky

Pages

Friday, August 27, 2010

TDL3 dropper (x86 compatible with x64 systems)

 Special thanks to kernelmode.info (and @GiuseppeBonfa "evilcry") for the sample.

 Related research and news articles

Download  as a password protected archive (contact me if you need the password). The package


includes:


  • custom_unpacked.zip
  • MBR_TDL_Files.rar   files dropped by the infection, his dropper, and an offline dump of the MBR.
  • tdl3_dropper.zip
  • Readme (please read)


 TDL3 dropper compatible with x86 and x64 systems

File name: custom_exe
http://www.virustotal.com/file-scan/report.html?id=053c111b9e1be52256bb33e2622f71a2006ab06a6324fc80474dcb9e299e102e-1282910774
Submission date: 2010-08-27 12:06:14 (UTC)
Current status: finished
Result: 21 /40 (52.5%)
AhnLab-V3 2010.08.27.00 2010.08.26 Dropper/Win32.TDSS
AntiVir 8.2.4.46 2010.08.27 TR/Alureon.DX
Avast 4.8.1351.0 2010.08.27 Win32:Malware-gen
Avast5 5.0.594.0 2010.08.27 Win32:Malware-gen
AVG 9.0.0.851 2010.08.27 Generic18.BZWR
BitDefender 7.2 2010.08.27 Trojan.Generic.4657531
DrWeb 5.0.2.03300 2010.08.27 BackDoor.Tdss.4005
Emsisoft 5.0.0.37 2010.08.27 Trojan.Win32.Tdss!IK
F-Secure 9.0.15370.0 2010.08.27 Trojan.Generic.4657531
GData 21 2010.08.27 Trojan.Generic.4657531
Ikarus T3.1.1.88.0 2010.08.27 Trojan.Win32.Tdss
Jiangmin 13.0.900 2010.08.27 TrojanDropper.Agent.auzt
Kaspersky 7.0.0.125 2010.08.27 Trojan-Dropper.Win32.TDSS.fsa
McAfee 5.400.0.1158 2010.08.27 DNSChanger!eo
Microsoft 1.6103 2010.08.27 Trojan:Win32/Alureon.DX
NOD32 5401 2010.08.27 Win32/Olmarik.ADA
nProtect 2010-08-27.01 2010.08.27 Trojan-Dropper/W32.Agent.126464.Q
PCTools 7.0.3.5 2010.08.27 Backdoor.Tidserv
Prevx 3.0 2010.08.27 Medium Risk Malware
Symantec 20101.1.1.7 2010.08.27 Backdoor.Tidserv.L
TheHacker 6.5.2.1.356 2010.08.26 Trojan/Dropper.Agent.cuxr
Additional informationShow all 
MD5   : 93c9658afb6519c2ca69edefbe4143a3

Virustotal Comments:
User:
fwosar
Reputation:
593 credits
Comment date:
2010-08-26 08:35:44 (UTC)
TDL3 dropper that is able to infect x86 and x64 systems. On x64 it uses a custom boot loader stored in the MBR that loads the kernel mode code without requiring a valid digital signature. Happy reversing :).

3 comments: