Virus Profile: TDSS.e!rootkit

Threat Search
Virus Profile information details
Risk Assessment: Home Medium | Corporate Medium
Date Discovered: 4/21/2011
Date Added: 4/21/2011
Origin: N/A
Length: Varies
Type: Virus
Subtype: Rootkit
DAT Required: 6323
Removal Instructions


TDSS, is the name of a family of rootkits for the Windows operating system that download and execute other malware, delivers advertisements to your computer, and block programs from running. This rootkit infects your computer in various ways that include replacing hard disk drivers with malicious versions. Once a computer is infected, TDSS will be invisible to Windows and anti-malware programs while downloading and executing further malware and delivering advertisements to your computer.


  • Kaspersky - HEUR:Trojan.Win32.Generic
  • NOD32  - a variant of Win32/Kryptik.VOO
  • Symantec  - Trojan.Gen.2
  • Microsoft - Trojan:Win32/Alureon.FE

Indication of Infection

  • Presence of above mentioned activities and strings in memory.
  • Google Searches are redirected.
  • Browser homepage settings changed.
  • Slows down your computers and Internet also.

Methods of Infection

TDSS spreads by using affiliate marketing programs. Most affiliate marketing programs spreading malicious code use a Pay per Install model which means the amount earned by the malware author depends on the number and the location of the machines it infects.

Virus Characteristics

TDSS.e!rootkit” is a virus Detection, which is designed to allow remote access to your computer to largely occupy precious system resource, trace your internet habits to record/steal your personal information.

TDSS.e!rootkit” attempts to propagate through existing network vulnerability or software exploits. TDSS.e!rootkit links up to a shared drive, all this virus has nothing but files.

TDSS.e!rootkit” is installed without user’s permission through the use of trojan viruses, whereas trojan virus can download and install additional malware, adware or even rogue anti-spyware applications.

Upon execution it drops the files in the below location:

  • %Temp%\F.tmp

The important Properties of TDSS.e! rootkit are listed below:

  • Changes browser settings
  • Shows commercial advertisements
  • Connects itself to the internet
  • Stays resident in background

And the following registry values has been modified to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\OASState : 0x00000003
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\DesktopProtection\OASState: 0x00000002
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned = "%Temp%\MSI12.tmp"
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned: %windir%\system32\wbem\Logs\wbemcore.log"
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x00001233
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned: 0x0000123D
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000003
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled: 0x00000002
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925579"
  • HKEY_LOCAL_MACHINE \SOFTWARE\McAfee\Agent\lpc\lpc_throb: "1337925869"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ’0′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0′

The below memory string confirms the infection of TDSS.e!rootkit

  • MBR
  • VBR
  • FILE
  • BOOT
  • DBG32
  • DBG64
  • DRV32
  • DRV64
  • CMD32
  • CMD64
  • LDR32
  • LDR64
  • MAIN
  • PAIR
  • NAME
  • BUILD.
  • Bad allocation

The malware restarts by randomly infecting a system driver (usually located in %windir%/system32/drivers). This particular variant mostly infects the file VOLSNAP.SYS


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!