ATTENTION! essexboy new TDL4 botnet on client machine need help!

[true indian]

Hi,

i have a new TDL4 Bot on my clients machine which doesnt allow me to run any tool..it cancels the launch of any anti-malware/anti-rootkit....I see a CMD that pops up for a second or so and cancels every ani malware tool launch.

Please may i have your advice essex.

[!Donovan]

Do you know the location of the file that launches?


Wouldn't this need a registry edit that runs this 'bot' when a file is executed?


If it is a mere bat file then change the assoc with another bat file for the time being so that when the bat is ran you see the coding in notepad and the file path instead of it being executed.
You do know how to do that, right?

[essexboy]

What is the OS ? and do you have some flash drives handy

[true indian]

Hi essex as an update to the topic...

This bot cancels all the launch of any program....Yes i have USB sticks but its of no use....as the bot wouldnt allow me to operate the USB

Yes i have tried many linux based CD"s to get rid of it.

This one came to my workshop yesterday morning and i have been struggling to pick the right tool to kill it...it just cancels launch of explorer.exe and i am operating it in OTLPEnet enviroment...the bot has exploited the OTL linux based enviroment and cancels launch of any programs..However i load windows in OTLPEnet

the OS is vista.

I feel this is a military level based malware..

Right now,I am trying loading My KILLDISK application.....

EDIT:KILLDISK Loaded! holy cra*p.....Essexboy i have a bad news this is that stupid Bot that creates a fake floppy image that i have conversed with u on PM...

[essexboy]

THis is one that I have not yet had any hands on experiece with..  From what you say the best option wuld be to nuke the drive and start again

[true indian]

Hi essexboy i cannot get USB"s to work..but CD"s do work...

Do u have something that i can do from CD"s?

P.S. Since its a rootkit will it be deleted...if i nuke and start over again?

[akama1]

hole shit what of rootkit is this??? soooo friggin powerful.... how does anyone even create it man :/ have you tried booting into safe mode? use sardu and try boot up with dr web live cd?? :/ if the rootkit doesnt block it lah.... u can prepare those things on your own machine on a cd then try it on your customer's one.... im just giving opinions here... :/ hope it works though

[akama1]

according to google searches of the tdl4 botnet..... it appears to be near indestructible :/ dont worry i'm helping you to find removal tools for it.... i know it blocks but try lah

[akama1]

ok dude i think i know how to solve your problem here..... get into safe mode and download or in anyway get GMER first..... and then follow the instructions on these websites from kaspersky and bitdefender

http://support.kaspersky.com/viruses/solutions?qid=208280684 (may try might not be exact)

http://public.avast.com/~gmerek/aswMBR.exe (you must carry all these out in safe mode)

http://www.malwarecity.com/blog/free-removal-tool-for-tdl4-available-now-1106.html (download the tools 32 or 64 bit)

you could try hitman pro.... thats all the info i can find and get rid of public kad2 p2p thingy.... its how they transfer the deadly bot.... im sorry thats all i can help... there are not many tools out there capable of removing this tdl4 botnet... hope this helps remember to do this in safe mode

[true indian]

this wont work!....

this is a new varient!

this varient exploits safe mode and linux enviroments and cancels anything from running....i will have to get this client machine back up running by next week! hope i find  A solution soon....

[akama1]

OMG... i have no words to say man im sorry.... in my whole entire life of malware research and prevention... i have never ever never once encountered a virus this powerful before.... the only way to cure is to change to a new harddrive.... if the virus takes over the motherboard... then the computer or laptop should be thrown away and get a new one.... kaspersky saw this virus last year june 2011.... perhaps the developers made a new  one...toooo good

[true indian]

No i can conquer it!this is not my first encounter with this...i have seen this even before.I have also reported the FBI 

i had a chat about this even before with essex on PM....

i have burnt linux slax now...hope i can kill that fake floppy image on this...my last attempt on this hope works! 

[akama1]

good luck mate if it success please do teach me how you did it thnx... lol ok i just wanna learn

[akama1]

very very very smart indeed piece of virus check this out... important points that you can't boot from safe mode or cd because the tdl4 botnet somehow resident it self in the MBR making it to load before windows load.... and av scanners don't scan this area of windows

http://www.popsci.com/technology/article/2011-06/new-tdl-4-botnet-really-indestructible

[true indian]

LOL!!!!

Thanks! I am going to try that linux slax today night!

Getting back home to take a cup of tea 

I hope essexboy does have something to boot via a CD.

This one is Not in MBR as i checked The MBR before and its Legit...

This one creates a fake floppy image thats tough to trace...thats the place where all malware files are.

Luckily! I have a smart tool called KILLDISK that is good in removing it just need to load it and then I will destroy the bot.

EDIT:I have tried Norton bootable cd,Dr.web Live cd,G-data rescue cd and non didnt work!..FBI is investigating they are informed...