Virus Characteristics
“TDSS.f! rootkit” is the Detection dropper also carries actual infector in its resource section in an encrypted form. The actual infector is first decrypted and the dropper image is replaced with the decrypted infector.
Also Before infection, TDSS.f checks whether it is running in controlled environment.
Upon execution it drops the files in the below location:
- %Temp%\1.tmp
- %Temp%\ googleupdate.exe
And the following registry values has been modified to the system
- HKEY_USER\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass =1
- HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\
“OASState” = “ 0x00000003”
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\DesktopProtection\OASState: 0x00000002
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned = "%Temp%\MSI12.tmp"
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned: "%windir%\system32\wbem\Logs\wbemcore.log"
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x00001233
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x0000123D
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000003
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000002
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925579"
- HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925869"
The below memory string confirms the infection of TDSS.f!rootkit
- MBR
- VBR
- FILE
- BOOT
- DBG32
- DBG64
- DRV32
- DRV64
- CMD32
- CMD64
- LDR32
- LDR64
- MAIN
- AFFID
- SUBID
- PAIR
- NAME
- BUILD.
- Bad allocation
The malware restarts by randomly infecting a system driver (usually located in %windir%/system32/drivers). This particular variant mostly infects the file VOLSNAP.SYS