ATTENTION! essexboy new TDL4 botnet on client machine need help!

[true indian]

@essexboy

Thanks! good idea i will give it a try!

Do u think linux slax bootable disk is a good idea as all linux enviroments are exploited...can i give this a try?

@Don

can u give me a link to the MBRTool please?


Thanks to all who try to help me.

[true indian]

Essexboy U are awesome! 

I found the Registry value its here:

\HKEY_LOCAL_MACHINE\SYSTEM\Mounted Devices\Dos Devices\BLACKTERROR!!!!!!!!!!!!!!!

What would u recommend?

Should i boot via linux slax and then take care of it? is that a good idea?

I feel that u would be tell me what will be more secure to do?

Yes...i have full access on that key even in normal windows....Very strange type infection! 

[essexboy]

Could you export that entire key, post it here  and then we will see if I can use OTL to delete it.  Unless it has some real strong protection... In which case I know another tool that will kill the reg key stone dead

[DonZ63]

MBRTool.exe link: http://www.diydatarecovery.nl/mbrtool.htm
Note: I have not personally used this so I can't vouch for it.

[true indian]

The content in reg value:

Code: [Select]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BTNT"="Kad.exe "X:/BTNR.exe"
-<<ROOT>> +$ EXTEND .HS.
$ Extend +$ RECYCLE.BIN .HS.
+$ Recycle.bin +$ SYSTEM ~ 1 .HS.
System Volume Inf + $ EXTRA.!!!
+!!! Extra Deleted $ mft 262144 .HS.
$ mftmirr 4096 .HS.
$ logfile 4194304 .HS.
$ volume 0 .HS.
$ attrdef 2560 .HS.
$ bitmap 1976752 .HS.
$ boot 8192 .HS.
$ badclus 0 .HS.
$ Secure 0 .HS.
$ upcase 131072 .HS.

[essexboy]

On completion of this can you run OTL as I need to find the location of the following two files :

BTNR.exe
Kad.exe

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: [Select]

Begin copying here:
Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BTNT
Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Accept the disclaimer

• Right click on the window under Input script here:, and select Paste.
  
  
  
  
• You can also click on this window and  press (Ctrl+V) to paste the contents of the clipboard.
  
• Click on Execute
  
  
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

[true indian]

Hi essexboy yes i know about avenger from ages...


And yes! It worked...

I couldnt find the log but the fake floppy disk image was there after taking out the reg value and i easily removed it via Killdisk.
And the two files were in the fake floppy disk partition that i removed via killdisk after following your fix.

This was a nasty guy! 

It was your idea of deleting the reg value....so u own the credit.

Thanks a lot man!

Now i can give the client his PC back today evening.
Thanks again.

[essexboy]

Do you have copies of the two files to send to Avast ?

I replaced the  run key with a dummy just in case it was being monitorerd

[true indian]

Hi essexboy,

Currently the FBI are tracking the Bot network.....fortunately the 2 files were uploaded at Virustotal...But a good news is kaspersky and avast! have the detection.so we are protected 

[essexboy]

Any idea on the dropper ?

[true indian]

Here are the detections for 2 files:

Kaspersky: Backdoor Tdss.dos

Avast!:Win32.Rootkit.gen[rtk]

Dropper file is also detected....
Name of the file:[random numbers].exe
Avast!:Win32.rootkit.gen

I Hope FBI will catch the Bot master.

[essexboy]

The same name as a standard TDL dropper - must be using the same package

[true indian]

The same name as a standard TDL dropper - must be using the same package

I am ultra suspicious of this varient...

This varient follows the characteristics of the new varient of TDL4 that creates its own partition...

The only difference is This one creates a Floppy disk partition and is hidden and cannot be seen unless we remove the reg value.More stealth than ever.Hence very close to indestructible.

May be military grade malware? any idea?

As it is the malware U and I see regularly are just consumer based malware and there are malware made by government organizations to spy...

[essexboy]

No I just think it is a new twist, as we kill one variant another pops up

[true indian]

No I just think it is a new twist, as we kill one variant another pops up

I hope............

As it is this thing was annoying me for this week.Unless your suggested idea worked.

Thanks!

Now my tubelight didnt strike this time 

Now i will make this as a note to myself as it will be good for me in future.