Pay-Per-Install Analysis – Part Three
InstallConverter
This is where things get interesting. This company distributes one executable, TDL3. TDL3 is a very advanced piece of stealth malware, with rootkit capabilities. Here you can see Symantec are well aware of this.
This is how much they per for 1000 installs per country.
USA - $170 Canada - $120 United Kingdom - $110 Australia, Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Netherlands, Norway, Spain, Sweden, Switzerland - $50
This is a list of strings from the unpacked executable. Notice the similarities to the Symantec writeup.
0×00013158 0×00000016 %1d.%1d %04d SP%1d.%1d
0×00013170 0×00000040 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
0x000131BC 0×00000014 %s|%s|%s|%x|%x|%s|%s
0x000131DC 0×00000012 %[^;];%[^;];%[^;];
0x000131F8 0x0000000A \tdrv
0×00013204 0x0000000A \tdev
0×00013220 0×00000012 %[^;];%[^;];%[^;];
0x0001323C 0×00000024 system\currentcontrolset\services\%s
0×00013264 0×00000009 imagepath
0×00013278 0×00000028 \registry\machine\%S
0x000132A4 0x0000001C \\?\globalroot%wZ\tdlcmd.dll
0x000132C4 0×00000014 \\?\globalroot%wZ\%s
0x000132DC 0×00000009 bckfg.tmp
0x000132E8 0×00000014 \\?\globalroot%wZ\%s
0×00013304 0x0000000E %[^|]|%[^|]|%s
0×00013314 0×00000007 servers
0x0001331C 0×00000006 tdlcmd
0×00013324 0x0000000A wspservers
0×00013330 0×00000006 tdlcmd
0×00013338 0x0000000C popupservers
0×00013348 0×00000006 tdlcmd
0×00013350 0×00000011 %d.%d.%d %d:%d:%d
0×00013364 0×00000009 builddate
0×00013370 0×00000018 services.exe
0x0001338C 0x0000000E IsWow64Process
0x0001339C 0×00000008 kernel32
0x000133A8 0×00000020 \\?\globalroot%s
0x000133DC 0×00000007 spooler
TDL3 infects a random driver, so after infection I ran TDSSKiller.
There you can see its infected one of my VirtualBox drivers. TDSSKiller was able to remove it after a reboot.
To be continued…
