Rootkit.TDSS Description

Rootkit.TDSS is a generic label for any one of many types of TDSS rootkit (also known as Alureon Trojans or Tidserv Trojans and associated with DNS Changer) components to create serious security violations in an infected PC. As a rootkit, Rootkit.TDSS uses especially-advanced features to conceal itself and protect itself from deletion, and some variants of Rootkit.TDSS may even be able to run in Safe Mode. Regardless of which variants of Rootkit.TDSS are attacking your PC, malware researchers have found that all types of Rootkit.TDSS infections are dangerous security attacks that can be involved in theft of private information, browser hijacks, the installation of additional types of PC threats, Distributed-Denial-of-Service attacks and other forms of criminal control over your computer. You should use powerful and up-to-date anti-malware programs to find and remove Rootkit.TDSS, since manual detection or deletion of Rootkit.TDSS is, at best, an unlikely and last resort.

Why You Will Not See Rootkit.TDSS… Unless You Have a Little Outside Help

 Even though all rootkits are known for using stealth-related features, Rootkit.TDSS family rootkits are especially-infamous for their advanced structures that allow them to avoid being noticed unless caught by appropriate security software. Variants of Rootkit.TDSS infections have been known to use memory-injection techniques to hide their activities inside of normal system processes, hide themselves as malicious drivers, hide themselves as .dll files and even scatter their components in a semi-random fashion throughout a hard drive.

» Learn more about SpyHunter's Spyware Detection Tool
and steps to uninstall SpyHunter.

In most cases, a single Rootkit.TDSS will be accompanied by other Rootkit.TDSS files that serve different functions (such as loading additional TDSS components or causing specific attacks like browser redirects).
Because Rootkit.TDSS is a generic label that can apply to many types of TDSS files, you may also see Rootkit.TDSS identified by a huge range of aliases that are dependent on the type of anti-malware scanner that you use to detect Rootkit.TDSS. A few examples of some of the many TDSS components that malware experts have seen include BackDoor.Tdss.5070, BOO/Tdss.M, TDSS.e!rootkit, Rootkit TDSS.d and TDSS.d!men. Unless you’ve taken extra steps to stop Rootkit.TDSS from being loaded, you should assume that Rootkit.TDSS is active on your PC, even if Rootkit.TDSS doesn’t show a distinct memory process or file.

Some of the Endless Heads of the Rootkit.TDSS Hydra

 Attacks based on a Rootkit.TDSS infection can take a nearly infinite range of forms, given Rootkit.TDSS’s ability to update its behavior based on instructions from a command server. Nonetheless, malware researchers have found that some of Rootkit.TDSS’s most common uses and behaviors include:
  • Web browser redirects to malicious sites. These sites can include phishing sites that try to steal private information or sites that install harmful software via drive-by-download scripts.
  • Software-blocking behavior that prevents you from using other programs. Programs that are most-likely to be targeted by these Rootkit.TDSS attacks are those that could help you remove Rootkit.TDSS (such as anti-malware applications). In such instances, you may need to rename the program file or disable Rootkit.TDSS before you can access software that will delete Rootkit.TDSS in a safe manner.
  • The installation of other types of harmful software that may or may not be obviously-visible. This can extend to keyloggers, Trojan droppers, worms or rogue security programs.


Generic Trojan [Panda]Generic16.BRWH [AVG]Hacktool.Rootkit [Symantec]Mal/Generic-A [Sophos]BKDR_TIDIES.SMA [TrendMicro]TR/Agent.42496.27 [AntiVir]Trojan.Generic.3238155 [BitDefender]Win32:Jifas-DT [Avast]a variant of Win32/Olmarik.SR [NOD32]Trojan.Alureon.MIZ [VirusBuster]

More aliases (101)

Rootkit.TDSS Automatic Detection Tool (Recommended)

Is your PC infected with Rootkit.TDSS? To safely & quickly detect Rootkit.TDSS we highly recommend you run the malware scanner listed below.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
  • The following files were created in the system:
    # File Name Detection Count
    1 %WINDIR%\ PRAGMAixjipouowq\ PRAGMAd.sys 108
    2 %WINDIR%\ system32\ tcppid.sys 16
    3 %WINDIR%\ system32\ isaxbox.sys 12
    4 %WINDIR%\ System32\ drivers\ _VOIDhrotxiltat.sys 97
    5 %Temp%\UAC[RANDOM].tmp N/A
    6 %Temp%\_VOID[RANDOM].tmp N/A
    7 C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll N/A
    8 C:\WINDOWS\SYSTEM32\4DW4R3c.dll N/A
    9 C:\WINDOWS\SYSTEM32\4DW4R3sv.dat N/A
    13 C:\WINDOWS\system32\drivers\UAC[RANDOM].sys N/A
    14 C:\WINDOWS\system32\drivers\_VOID[RANDOM].sys N/A
    15 C:\WINDOWS\system32\uacinit.dll N/A
    16 C:\WINDOWS\system32\uactmp.db N/A
    17 C:\WINDOWS\system32\UAC[RANDOM].dat N/A
    18 C:\WINDOWS\system32\UAC[RANDOM].db N/A
    19 C:\WINDOWS\system32\UAC[RANDOM].dll N/A
    20 C:\WINDOWS\system32\_VOID[RANDOM].dat N/A
    21 C:\WINDOWS\system32\_VOID[RANDOM].dll N/A
    22 C:\WINDOWS\Temp\UAC[RANDOM].tmp N/A
    23 C:\WINDOWS\Temp\_VOID[RANDOM]tmp N/A
Posted: April 3, 2009 | By
Rate this article:
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 4.50 out of 5)
Loading ... Loading ...
Threat Metric
Threat Level: 8/10
Detection Count: 501

One Comment

  • Santhosh says:

    Agreed Chester.If the FBI are continuing to run these DNS servres, presumably they are recording the IP addresses of computers issuing incoming DNS requests. I also assume that any computers using US Government IP addresses have already been de-loused. How about either informing the ISPs issuing those IP addresses or posting those IP addresses on the net?I like the suggestion made by Michael S but suspect that most people will not understand that the page is genuine. It would look like a new form of false Anti-Virus.

Leave a Reply

What is 11 + 2 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)