TDSS.d!mem

This page shows details and results of our analysis on the malware TDSS.d!mem

Overview

This is a rootkit detection for the TDSS family of rootkits.

 


Minimum Engine

5600.1067

File Length

Varies

Description Added

2010-12-04

Description Modified

2011-01-08

Malware Proliferation

Characteristics

This is a rootkit detection for the fourth generation of the TDSS family of rootkits.

TDSS.d replaces the systems Master Boot Record (MBR) with malicious code . This enables malware to be loaded during system boot up. The rootkit is also known to install various I/O Request Packet (IRP) hooks on an infected system to hide malware.

After the installed malware has been initialized, a clean copy of the MBR is written back to Sector 0 of the disk. When the infected user tries to inspect the MBR on disk at this state, the malicious MBR will not be visible.

Upon system shutdown, the malicious MBR is re-written back to disk to enable the malware to load on reboot.

 

Symptoms

  • Presence of the above mentioned detection name.
  • Upon inspection of the MBR from a clean boot disk, the MBR image will be detected as TDSS!mbr trojan.

 

Method of Infection

TDSS.d is a generic rootkit component that can be installed by a variety of malware. They could be typically installed via drive-by downloads, browsing websites hosting exploits or other attack vectors.

Upon removal of the rootkit, the infected user may observe additional detection or symptoms from other malware.

 

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants