Rootkit.TDSS Description

Rootkit.TDSS was first detected in 2008. According to ESG security researchers, Rootkit.TDSS is infamous because of its ability to stay hidden within an infected computer system for years without being detected. This makes Rootkit.TDSS a malware infection that is particularly difficult to remove from a computer. Rootkit.TDSS first came to be known by this name because early versions of this rootkit contained the string TDSS in many of its components, although this has been changed since then in order to make this rootkit more difficult to remove. Rootkit.TDSS seldom attacks alone and is often associated with other malware sucha as Backdoor.Tidserv, and especially with DNS changers. Early versions of Rootkit.TDSS are formed of three main parts: the rootkit, the dropper, and a .DLL file. Working together, these three components created an extremely dangerous trio with the ability to hide very effectively. As Rootkit.TDSS evolved Rootkit.TDSS started to be delivered in standalone executable files, although the same kinds of components are executed.
 
Once Rootkit.TDSS executable is run, it drops a .TMP file in the Temp folder which will then install the other malicious components that conform this dangerous rootkit infection. First it will register as a Windows service by copying and corrupting a legitimate Windows .DLL file. Then Rootkit.TDSS uses a security vulnerability in Windows allowing this .DLL file to be considered by the operating system as a legitimate Windows service. Once this happens, this rootkit infection can then create the essential rootkit component within the system drivers. This rootkit component serves to hide all other malicious files and file processes associated with Rootkit.TDSS or with other malware that is bundled along with this dangerous rootkit infection. Rootkit.TDSS also has the capacity to start, stop, and hide other files and file processes (allowing Rootkit.TDSS to stop legitimate anti-virus applications.)
 
Once everything is in place, Rootkit.TDSS can download other files in order to configure itself or to install other malware on the infected computer system. Rootkit.TDSS can display pop-up windows, severely disrupt the system, steal confidential information, relay it to a remote server, and perform other dangerous operations associated with the worst malware threats. Some of the most recent variants of Rootkit.TDSS contain several layers of encryption which can make removal of this malware threat extremely difficult. ESG security researchers have found that it is essential to remove the rootkit component of this three-part infection first in order to gain access to all the malware that may be hiding under the hood.

Type: Rootkits

How Can You Detect Rootkit.TDSS?

Rootkit.TDSS Removal Details

Rootkit.TDSS has typically the following processes in memory:

• 72631899.exe
• ~.exe
• podmena.exe
• TDSSoexh.dll
• tdssserf.dll
• UACyylfjdaa.dll
• C:\WINDOWS\system32\UAC[RANDOM].dll
• C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM].dll
• C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
• 1776260179.exe
• 7-v3av.exe
• tdssserv.sys
• tdidrv2.sys
• TDSSriqp.dll
• TDSSnrsr.dll
• C:\WINDOWS\system32\_VOID[RANDOM].dll
• C:\WINDOWS\SYSTEM32\4DW4R3c.dll
• C:\WINDOWS\system32\drivers\UAC[RANDOM].sys
• C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
• ucxmykkc.exe
• csrssc.exe
• file.exe
• RkLYLyoM.exe
• TDSSciou.dll
• TDSSmaxt.sys
• C:\WINDOWS\_VOID[RANDOM]\_VOIDd.sys
• C:\WINDOWS\system32\uacinit.dll
• C:\WINDOWS\system32\drivers\_VOID[RANDOM].sys
• C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM].sys

Rootkit.TDSS creates the following files in the system:

• C:\WINDOWS\system32\UAC[RANDOM].dat
• C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
• %Temp%\_VOID[RANDOM].tmp
• C:\WINDOWS\system32\_VOID[RANDOM].dat
• C:\WINDOWS\system32\uactmp.db
• C:\WINDOWS\Temp\_VOID[RANDOM]tmp
• C:\WINDOWS\_VOID[RANDOM]\
• C:\WINDOWS\system32\UAC[RANDOM].db
• C:\WINDOWS\Temp\UAC[RANDOM].tmp
• %Temp%\UAC[RANDOM].tmp

Rootkit.TDSS creates the following registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID[RANDOM]
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

Important Article Disclaimer