For Consumer

Virus Profile: TDSS.f!rootkit

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/22/2011
Date Added: 11/22/2011
Origin: N/A
Length: Varies
Type: Virus
Subtype: Rootkit
DAT Required: 6538
Removal Instructions
   
 
 
   

Description

"TDSS", is the name of a family of rootkits for the Windows operating system that download and execute other malware, delivers advertisements to your computer, and block programs from running. This rootkit infects your computer in various ways that include replacing hard disk drivers with malicious versions. Once a computer is infected, TDSS will be invisible to Windows and anti-malware programs while downloading and executing further malware and delivering advertisements to your computer.

Aliases

  • Kaspersky - HEUR:Trojan.Win32.Generic
  • NOD32  - a variant of Win32/Kryptik.VOO
  • Symantec  - Trojan.Gen.2
  • Microsoft - Trojan:Win32/Alureon.FE

Indication of Infection

Presence of above mentioned activities and strings in memory.

Also the infected machine might make out bound connections to the following list of domains.

  • hxxps://ni[Removed]dden.in/
  • hxxps://91.[Removed].226.67/
  • hxxps://li[Removed]6b0.com/
  • hxxps://zz[Removed]a88.com/
  • hxxps://n1[Removed]53.com/
  • hxxps://01[Removed]00.cc/
  • hxxps://lj[Removed]b0.com/
  • hxxp://cli[Removed]bn.com/
  • hxxp://th[Removed]eg.com/
  • hxxp://ij[Removed]se.com/

 

Methods of Infection

TDSS spreads by using affiliate marketing programs. Most affiliate marketing programs spreading malicious code use a Pay per Install model which means the amount earned by the malware author depends on the number and the location of the machines it infects.
   

Virus Characteristics

TDSS.f! rootkit” is the Detection dropper also carries actual infector in its resource section in an encrypted form. The actual infector is first decrypted and the dropper image is replaced with the decrypted infector.

Also Before infection, TDSS.f checks whether it is running in controlled environment.

Upon execution it drops the files in the below location:

  • %Temp%\1.tmp
  • %Temp%\ googleupdate.exe

And the following registry values has been modified to the system

  • HKEY_USER\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass =1
  • HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\
    “OASState” = “ 0x00000003”
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\DesktopProtection\OASState: 0x00000002
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned = "%Temp%\MSI12.tmp"
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned: "%windir%\system32\wbem\Logs\wbemcore.log"
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x00001233
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x0000123D
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000003
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000002
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925579"
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925869"

The below memory string confirms the infection of TDSS.f!rootkit

  • MBR
  • VBR
  • FILE
  • BOOT
  • DBG32
  • DBG64
  • DRV32
  • DRV64
  • CMD32
  • CMD64
  • LDR32
  • LDR64
  • MAIN
  • AFFID
  • SUBID
  • PAIR
  • NAME
  • BUILD.
  • Bad allocation

The malware restarts by randomly infecting a system driver (usually located in %windir%/system32/drivers). This particular variant mostly infects the file VOLSNAP.SYS

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).