Purple Haze is a new malware that is similar to TDL. I recently got a sample from an excellent malware analysis/reversing forum kernelmode.info and had a quick look at the code (goodbye my weekend :)).

The code is actually very interesting and some parts of it have been already covered by ESET’s blog. What caught my attention from a forensics perspective though was that one of the modules malware uses (ad clicker component I presume) is relying on a simple anti-forensics code to clean up the cache:

It also patches the waveOutOpen function to prevent the clicker from making sounds – simple, yet effective way to avoid detection.
I will post bits and bobs about other findings soon.