TDSS

This page shows details and results of our analysis on the malware TDSS

Overview


Minimum Engine

5600.1067

File Length

VARIES

Description Added

2010-02-20

Description Modified

2012-05-29

Malware Proliferation

Characteristics

TDSS.e!rootkit is a virus Detection, which is designed to allow remote access to your computer to largely occupy precious system resource, trace your internet habits to record/steal your personal information.

TDSS.e!rootkit attempts to propagate through existing network vulnerability or software exploits. TDSS.e!rootkit links up to a shared drive, all this virus has nothing but files.

 TDSS.e!rootkit is installed without users permission through the use of trojan viruses, whereas trojan virus can download and install additional malware, adware or even rogue anti-spyware applications.

Upon execution it drops the files in the below location:

%Temp%\F.tmp

The main Properties of TDSS.e! rootkit are listed below:

Changes browser settings

Shows commercial advertisements

Connects itself to the internet

Stays resident in background

And the following registry values has been modified to the system:

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\OASState : 0x00000003

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\DesktopProtection\OASState: 0x00000002

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned = "%Temp%\MSI12.tmp"

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned:

%windir%\system32\wbem\Logs\wbemcore.log"

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x00001233

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x0000123D

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000003

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000002

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925579"

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925869"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings CertificateRevocation = 0′

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnonBadCertRecving = 0′

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop NoChangingWallPaper = 1′

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\OASState : 0x00000003

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\DesktopProtection\OASState: 0x00000002

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned = "%Temp%\MSI12.tmp"

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned:

%windir%\system32\wbem\Logs\wbemcore.log"

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x00001233

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x0000123D

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000003

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000002

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925579"

HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925869"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings CertificateRevocation = 0′

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings WarnonBadCertRecving = 0′

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop NoChangingWallPaper = 1′

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

LowRiskFileTypes =
/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments SaveZoneInformation = 1′

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr = 1′

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system DisableTaskMgr = 1′

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download CheckExeSignatures = no

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Use FormSuggest = yes

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden = 0′

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden = 0′

The below memory string confirms the infection of TDSS.e!rootkit:

MBR

VBR

FILE

BOOT

DBG32

DBG64

DRV32

DRV64

CMD32

CMD64

LDR32

LDR64

MAIN

AFFID

SUBID

PAIR

NAME

BUILD.

Bad allocation

The malware restarts by randomly infecting a system driver (usually located in %windir%/system32/drivers). This particular variant mostly infects the file VOLSNAP.SYS

Symptoms

Method of Infection

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants