Virus Characteristics
“TDSS.e!rootkit” is a virus Detection, which is designed to allow remote access to your computer to largely occupy precious system resource, trace your internet habits to record/steal your personal information.
“TDSS.e!rootkit” attempts to propagate through existing network vulnerability or software exploits. TDSS.e!rootkit links up to a shared drive, all this virus has nothing but files.
“TDSS.e!rootkit” is installed without user’s permission through the use of trojan viruses, whereas trojan virus can download and install additional malware, adware or even rogue anti-spyware applications.
Upon execution it drops the files in the below location:
The important Properties of TDSS.e! rootkit are listed below:
- Changes browser settings
- Shows commercial advertisements
- Connects itself to the internet
- Stays resident in background
And the following registry values has been modified to the system
- HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\OASState : 0x00000003
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\DesktopProtection\OASState: 0x00000002
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned = "%Temp%\MSI12.tmp"
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned: %windir%\system32\wbem\Logs\wbemcore.log"
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x00001233
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x0000123D
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000003
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000002
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925579"
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925869"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0′
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1′
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ’0′
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0′
The below memory string confirms the infection of TDSS.e!rootkit
- MBR
- VBR
- FILE
- BOOT
- DBG32
- DBG64
- DRV32
- DRV64
- CMD32
- CMD64
- LDR32
- LDR64
- MAIN
- AFFID
- SUBID
- PAIR
- NAME
- BUILD.
- Bad allocation
The malware restarts by randomly infecting a system driver (usually located in %windir%/system32/drivers). This particular variant mostly infects the file VOLSNAP.SYS