Rootkit.TDSS

By GoldSparrow in Rootkits

Translate To:

Threat Scorecard

Threat Level:	80 % (High)
Infected Computers:	399

First Seen:	November 30, 2010
OS(es) Affected:	Windows

The TDSS Rootkit has become extremely widespread since TDSS Rootkit's beginnings in 2008. PC security analysts indicate that this rootkit presents exceptional difficulties for TDSS Rootkit's study and treatment because of TDSS Rootkit's very nature. The TDSS Rootkit infects drivers, meaning that TDSS Rootkit is loaded before the operating system itself. This implies an infection that is very deep and very challenging to remove. Usually, specialized tools are needed to detect and remove the TDSS Rootkit from an infected computer system.

Table of Contents

The History of the TDSS Rootkit

The first versions of the TDSS Rootkit are known as TDL-1 or Rootkit.Win32.Clbd.a, because of TDSS Rootkit's ability to infect the driver clbdriver-sys and the clbdll.dll DLL file. Some parts of the original TDSS Rootkit remain in today's newest versions of this extremely dangerous infection. TDL-1 has the capability of hiding itself and other files, executing high-level functions, and injecting malicious code. The TDSS Rootkit also protects itself by displaying an error message reading "STATUS_TOO_MANY_SECRETS" when trying to open the directories needed to remove this rootkit.

The next version of the TDSS Rootkit, TDL-2 made its appearance in spring of 2009. Its main feature is that the rootkit was encrypted to make it much harder for security researchers to analyze TDSS Rootkit. The hackers behind the TDSS Rootkit also included random segments from Shakespeare's Hamlet to confuse researchers further.

In the autumn of 2009, the next generation of the TDSS Rootkit started appearing. Security researchers indicate that the TDL-3 generation of the TDSS Rootkit is particularly malignant and especially hard to remove. The main trouble with TDL-3 is the fact the hackers behind it update TDSS Rootkit constantly. There is a constant arms race between the PC security experts and the hackers; with each advancement in anti-rootkit technology, the hackers release a new update to undo it.

The TDSS Rootkit and Online Scams

Hackers use the TDSS Rootkit to make money through affiliate marketing. While affiliate marketing can be a completely legal activity, the hackers' version of affiliate marketing involves attracting visitors and unwary victims to infected websites associated with various kinds of malware. The TDSS Rootkit is also strongly related to large botnets, typically with a number close to twenty thousand infected computers, which are sold or rented out to criminal organizations. The creators of the TDSS Rootkit are thought to be from the Russian Federation. The TDSS Rootkit botnets have been used for a wide range of criminal activities, from DDoS attacks to sending massive amounts of spam emails.

Aliases

15 security vendors flagged this file as malicious.

Anti-Virus Software	Detection
Panda	Generic Trojan
AVG	Generic16.BRWH
Symantec	Hacktool.Rootkit
Sophos	Mal/Generic-A
TrendMicro	BKDR_TIDIES.SMA
AntiVir	TR/Agent.42496.27
BitDefender	Trojan.Generic.3238155
Avast	Win32:Jifas-DT
NOD32	a variant of Win32/Olmarik.SR
CAT-QuickHeal	Trojan.Agent.ATV
McAfee+Artemis	DNSChanger!dd
eTrust-Vet	Win32/ASuspect.HGOJO
AntiVir	TR/Crypt.XPACK.Gen3
NOD32	Win32/Olmarik.XH
Avast	Win32:Rootkit-gen

SpyHunter Detects & Remove Rootkit.TDSS

File System Details

Rootkit.TDSS may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	PRAGMAd.sys	4fc1255817092de5c285440cf477035e	98
Name: PRAGMAd.sys MD5: 4fc1255817092de5c285440cf477035e Size: 52.73 KB (52736 bytes) Detections: 98 Type: System file Path: %WINDIR%\PRAGMAxtcorpftkp\ Group: Malware file Last Updated: November 30, 2010
2.	PRAGMAd.sys	afc6795bb909749f446f57e36f7b33e3	64
Name: PRAGMAd.sys MD5: afc6795bb909749f446f57e36f7b33e3 Size: 52.22 KB (52224 bytes) Detections: 64 Type: System file Path: %WINDIR%\PRAGMAqwbuxotqhp\ Group: Malware file Last Updated: December 1, 2010
3.	PRAGMAd.sys	4a2dccdd2a14acce0dc2bcfc01b01b15	46
Name: PRAGMAd.sys MD5: 4a2dccdd2a14acce0dc2bcfc01b01b15 Size: 44.54 KB (44544 bytes) Detections: 46 Type: System file Path: %WINDIR%\PRAGMAixjipouowq\ Group: Malware file Last Updated: December 9, 2010
4.	PRAGMAd.sys	1d177f19440f4b4be104adcce3341685	30
Name: PRAGMAd.sys MD5: 1d177f19440f4b4be104adcce3341685 Size: 52.22 KB (52224 bytes) Detections: 30 Type: System file Path: %WINDIR%\PRAGMAlnosexnsts\ Group: Malware file Last Updated: November 30, 2010
5.	PRAGMAd.sys	fd8913513a87ed566c8c47f7cf2961c0	25
Name: PRAGMAd.sys MD5: fd8913513a87ed566c8c47f7cf2961c0 Size: 45.05 KB (45056 bytes) Detections: 25 Type: System file Path: %WINDIR%\PRAGMApxetrxtnwm\ Group: Malware file Last Updated: December 8, 2010
6.	PRAGMAd.sys	421af6709d670e5b97a8c37e80144343	22
Name: PRAGMAd.sys MD5: 421af6709d670e5b97a8c37e80144343 Size: 44.54 KB (44544 bytes) Detections: 22 Type: System file Path: %WINDIR%\PRAGMAugxnkfyymt\ Group: Malware file Last Updated: December 8, 2010
7.	memchek.sys	1ca0d8ee82db8012de42b16f2ef69674	14
Name: memchek.sys MD5: 1ca0d8ee82db8012de42b16f2ef69674 Size: 2.43 KB (2432 bytes) Detections: 14 Type: System file Path: %WINDIR%\system32\ Group: Malware file Last Updated: December 7, 2010
8.	usbxbox.sys	b3da42dfcd9851c24c9b09b8c188266d	13
Name: usbxbox.sys MD5: b3da42dfcd9851c24c9b09b8c188266d Size: 2.3 KB (2304 bytes) Detections: 13 Type: System file Path: %WINDIR%\system32\ Group: Malware file Last Updated: December 8, 2010
9.	diskchk.sys	e94d859753bb68f113b88e8b78607776	11
Name: diskchk.sys MD5: e94d859753bb68f113b88e8b78607776 Size: 2.43 KB (2432 bytes) Detections: 11 Type: System file Path: %WINDIR%\system32\ Group: Malware file Last Updated: December 8, 2010
10.	PRAGMAd.sys	4a672d94142ea8056ff589377fb8339b	10
Name: PRAGMAd.sys MD5: 4a672d94142ea8056ff589377fb8339b Size: 45.05 KB (45056 bytes) Detections: 10 Type: System file Path: %WINDIR%\PRAGMAxnsvrxcpxx\ Group: Malware file Last Updated: December 8, 2010
11.	PRAGMAd.sys	0d72febb1914c0d7a379b9cc2f6bb8ff	10
Name: PRAGMAd.sys MD5: 0d72febb1914c0d7a379b9cc2f6bb8ff Size: 52.73 KB (52736 bytes) Detections: 10 Type: System file Path: %WINDIR%\PRAGMAvnmxjnvxei\ Group: Malware file Last Updated: December 7, 2010
12.	PRAGMAd.sys	a3f92e9bf557198dc39d4045d2ec2144	8
Name: PRAGMAd.sys MD5: a3f92e9bf557198dc39d4045d2ec2144 Size: 44.54 KB (44544 bytes) Detections: 8 Type: System file Path: %WINDIR%\PRAGMApibcjxomti\ Group: Malware file Last Updated: December 9, 2010
13.	PRAGMAd.sys	0aeb71ef75d921539e6e02dfa2c12e08	8
Name: PRAGMAd.sys MD5: 0aeb71ef75d921539e6e02dfa2c12e08 Size: 52.22 KB (52224 bytes) Detections: 8 Type: System file Path: %WINDIR%\PRAGMApvqvprupfd\ Group: Malware file Last Updated: December 7, 2010
14.	tcppid.sys	c72311b8d604a3e3e9b36df733f30843	7
Name: tcppid.sys MD5: c72311b8d604a3e3e9b36df733f30843 Size: 2.3 KB (2304 bytes) Detections: 7 Type: System file Path: %WINDIR%\system32\ Group: Malware file Last Updated: December 8, 2010
15.	PRAGMAd.sys	184110fe4f5c6a4416b9decee90a2d9f	6
Name: PRAGMAd.sys MD5: 184110fe4f5c6a4416b9decee90a2d9f Size: 44.54 KB (44544 bytes) Detections: 6 Type: System file Path: %WINDIR%\PRAGMApmbiquqdri\ Group: Malware file Last Updated: December 8, 2010
16.	isaxbox.sys	5a7eef7dcdae6912afe7f50983d5520f	5
Name: isaxbox.sys MD5: 5a7eef7dcdae6912afe7f50983d5520f Size: 2.3 KB (2304 bytes) Detections: 5 Type: System file Path: %WINDIR%\system32\ Group: Malware file Last Updated: December 8, 2010
17.	PRAGMAd.sys	c907276d48943001a4745b6d4e254c13	3
Name: PRAGMAd.sys MD5: c907276d48943001a4745b6d4e254c13 Size: 52.73 KB (52736 bytes) Detections: 3 Type: System file Path: %WINDIR%\PRAGMApornnkiniw\ Group: Malware file Last Updated: December 7, 2010
18.	PRAGMAd.sys	9d39fe1b36199d5717cae14ed3680e67	3
Name: PRAGMAd.sys MD5: 9d39fe1b36199d5717cae14ed3680e67 Size: 52.22 KB (52224 bytes) Detections: 3 Type: System file Path: %WINDIR%\PRAGMAnnospwidri\ Group: Malware file Last Updated: December 6, 2010
19.	PRAGMAd.sys	e671ab67d233cb4e87b1b679a92a0ed0	2
Name: PRAGMAd.sys MD5: e671ab67d233cb4e87b1b679a92a0ed0 Size: 52.22 KB (52224 bytes) Detections: 2 Type: System file Path: %WINDIR%\PRAGMAvidnlqenxr\ Group: Malware file Last Updated: January 5, 2011
20.	PRAGMAd.sys	e2c5ffec5eb9612eea2d5ce22fdcfe09	2
Name: PRAGMAd.sys MD5: e2c5ffec5eb9612eea2d5ce22fdcfe09 Size: 52.22 KB (52224 bytes) Detections: 2 Type: System file Path: %WINDIR%\PRAGMAnndmnxwdei\ Group: Malware file Last Updated: December 9, 2010
21.	PRAGMAd.sys	b52194d21487e3cf2178950228552ac5	2
Name: PRAGMAd.sys MD5: b52194d21487e3cf2178950228552ac5 Size: 52.73 KB (52736 bytes) Detections: 2 Type: System file Path: %WINDIR%\PRAGMAhxbqfgeixn\ Group: Malware file Last Updated: December 7, 2010
22.	PRAGMAd.sys	aca6e953ff8d2f536fd1d297e0486734	2
Name: PRAGMAd.sys MD5: aca6e953ff8d2f536fd1d297e0486734 Size: 52.22 KB (52224 bytes) Detections: 2 Type: System file Path: %WINDIR%\PRAGMAqvtiqrnstb\ Group: Malware file Last Updated: December 7, 2010
23.	PRAGMAd.sys	2b5b356793a655697edd8c58b2964fe2	2
Name: PRAGMAd.sys MD5: 2b5b356793a655697edd8c58b2964fe2 Size: 52.22 KB (52224 bytes) Detections: 2 Type: System file Path: %WINDIR%\PRAGMAqvcxtabdmb\ Group: Malware file Last Updated: December 7, 2010
24.	PRAGMAd.sys	f4c09fd7833565264f8feb1349a558a1	1
Name: PRAGMAd.sys MD5: f4c09fd7833565264f8feb1349a558a1 Size: 52.73 KB (52736 bytes) Detections: 1 Type: System file Path: %WINDIR%\PRAGMAydxtdcaetm\ Group: Malware file Last Updated: December 7, 2010
25.	PRAGMAd.sys	0cc76a2452fabfa4d6e98082d415201e	1
Name: PRAGMAd.sys MD5: 0cc76a2452fabfa4d6e98082d415201e Size: 52.73 KB (52736 bytes) Detections: 1 Type: System file Path: %WINDIR%\PRAGMAdbwuymbfgq\ Group: Malware file Last Updated: December 7, 2010
26.	PRAGMAd.sys	90046fd8e3bee623a26dfccb6a602746	1
Name: PRAGMAd.sys MD5: 90046fd8e3bee623a26dfccb6a602746 Size: 53.24 KB (53248 bytes) Detections: 1 Type: System file Path: %WINDIR%\PRAGMAintmixopan\ Group: Malware file Last Updated: December 7, 2010
27.	_VOIDhrotxiltat.sys	89b56f6143f7c1ad44cd10f46700b9da	1
Name: _VOIDhrotxiltat.sys MD5: 89b56f6143f7c1ad44cd10f46700b9da Size: 42.49 KB (42496 bytes) Detections: 1 Type: System file Path: %WINDIR%\System32\drivers\ Group: Malware file Last Updated: October 14, 2011

EnigmaSoft Releases NEW SpyHunter Pro to Fight Malware, Enhance Privacy Protection, & Optimize PCs

Search

Change Region

Rootkit.TDSS

Threat Scorecard

EnigmaSoft Threat Scorecard

The History of the TDSS Rootkit

The TDSS Rootkit and Online Scams

Aliases

SpyHunter Detects & Remove Rootkit.TDSS

File System Details

Submit Comment

Trending

'Your PC ran into a problem and needs to restart' Error

GoBruteforcer Malware

BlackSuit Ransomware

Most Viewed

AntiMalware

DNS Unlocker

Antivirus Security Pro