TDL4 is alive and well on x64

Discussion in 'malware problems & news' started by Victek, Dec 21, 2010.

Thread Status:
Not open for further replies.
  1. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    It has been speculated for a long time that rootkits could infect 64 bit systems, but today is first time I've seen it in the field. I was able to remove the TDL4 rootkit from Windows 7 x64 using Kaspersky's TDSSkiller in SAFE mode (by the way TDSSkiller is very fast - an indispensable antimalware tool). So much for x64 Patchguard.
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,029
    Location:
    Hengelo, The Netherlands
    Hitman Pro was the first to remove the TDL4 x64 bootkit (in normal mode):
    http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19&start=490#p2521

    The big AVs started it to call TDL4 but in fact it is just TDL3 that now infects MBR instead of a driver. You can read the entire thread on the TDL3/TDL4 rootkit. Quite informative.

    Btw. Hitman Pro also removes the additional malware that TDL4 drops on a system.
     
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
Thread Status:
Not open for further replies.