Purple Haze is a new malware that is similar to TDL. I recently got a sample from an excellent malware analysis/reversing forum kernelmode.info and had a quick look at the code (goodbye my weekend ).

The code is actually very interesting and some parts of it have been already covered by ESET’s blog. What caught my attention from a forensics perspective though was that one of the modules malware uses (ad clicker component I presume) is relying on a simple anti-forensics code to clean up the cache:

It also patches the waveOutOpen function to prevent the clicker from making sounds – simple, yet effective way to avoid detection.
I will post bits and bobs about other findings soon.