For Consumer

Virus Profile: TDSS.d!mem

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/4/2010
Date Added: 12/4/2010
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Rootkit
DAT Required: 6187
Removal Instructions
   
 
 
   

Description

This is a rootkit detection for the TDSS family of rootkits.

 

Indication of Infection

  • Presence of the above mentioned detection name.
  • Upon inspection of the MBR from a clean boot disk, the MBR image will be detected as TDSS!mbr trojan.

 

Methods of Infection

TDSS.d is a generic rootkit component that can be installed by a variety of malware. They could be typically installed via drive-by downloads, browsing websites hosting exploits or other attack vectors.

Upon removal of the rootkit, the infected user may observe additional detection or symptoms from other malware.

 

   

Virus Characteristics

This is a rootkit detection for the fourth generation of the TDSS family of rootkits.

TDSS.d replaces the systems Master Boot Record (MBR) with malicious code . This enables malware to be loaded during system boot up. The rootkit is also known to install various I/O Request Packet (IRP) hooks on an infected system to hide malware.

After the installed malware has been initialized, a clean copy of the MBR is written back to Sector 0 of the disk. When the infected user tries to inspect the MBR on disk at this state, the malicious MBR will not be visible.

Upon system shutdown, the malicious MBR is re-written back to disk to enable the malware to load on reboot.

 

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.