Home Malware Programs Rootkits TDSS Rootkit

TDSS Rootkit

Posted: July 19, 2011

TDSS Rootkit is a rootkit that makes use of multiple Trojans that generate revenue for criminals in a variety of ways. These cash-generating methods invariably cause harm to your computer by hijacking your browser, altering online content, changing your system settings, installing hostile programs, creating advertisements and infecting crucial Windows files. Although different types of TDSS Rootkit infections may exhibit slightly different behavior, all types of TDSS Rootkit attackers are extremely dangerous, and most will consist of multiple subtypes of Trojans and other threatening programs. As is the case with all rootkits, removing TDSS Rootkit or even detecting TDSS Rootkit is extremely difficult and may require help from high-quality threat-removal software.

Meeting the Whole TDSS Rootkit Family

As a multi-component infection, TDSS Rootkit attacks will use many different types of Trojans to create many attacks on your PC, although almost all of these attacks have the motive of generating money. For example:

  • Google Redirect Virus is a TDSS Rootkit component that hijacks your browser and redirects you to risky websites, after you've click on a Google search result.
  • Virus:Win32/Alureon.H is a driver that's been infected by TDSS Rootkit. Virus:Win32/Alureon.H is responsible for loading the primary TDSS Rootkit code, which is scattered randomly around your hard drive. TDSS Rootkit, once loaded, will conceal both itself and the Virus:Win32/Alureon.H driver infection.
  • Trojan:Win32/Alureon.DN is a .dll file that TDSS Rootkit uses to alter online content. TDSS Rootkit does this by injecting malicious code into innocent HTML.

What You Can Do to Kick Out the TDSS Rootkit Gang

Although the full list of TDSS Rootkit components is far too long to enumerate fully, you can assume that any TDSS Rootkit infection is engaged in multiple attacks on your computer with multiple types of Trojans at any given time. Other problems that are associated with TDSS Rootkit include browser hijacks that redirect you to hostile websites, advertisement pop-ups, the appearance of a security backdoor (by way of opened network ports and altered firewall settings), altered Domain Name System (DNS) settings and the appearance of unfamiliar programs on your computer.

All types of TDSS Rootkit infections are extremely difficult to remove. Even if you think you've deleted TDSS Rootkit during a system scan, a reboot may reveal that TDSS Rootkit was never really deleted at all. Temporarily disabling System Restore may be necessary as part of the TDSS Rootkit removal process, and rootkits like TDSS Rootkit have been known to persist even in Safe Mode.

Despite the difficulty of deleting TDSS Rootkit, allowing TDSS Rootkit or any of its individual components to remain on your PC is extremely dangerous. Ignoring the threat that TDSS Rootkit presents can not only be a source of other infections but may also allow remote criminals to exert direct control over your PC.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %Temp%\_VOID[RANDOM CHARACTERS].tmp
    2 %Temp%\UAC[RANDOM CHARACTERS].tmp
    3 C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
    4 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\
    5 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\_VOIDd.sys
    6 C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM CHARACTERS].dll
    7 C:\WINDOWS\SYSTEM32\4DW4R3c.dll
    8 C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
    9 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dat
    10 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dll
    11 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
    12 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM CHARACTERS].sys
    13 C:\WINDOWS\system32\drivers\_VOID[RANDOM CHARACTERS].sys
    14 C:\WINDOWS\system32\drivers\UAC[RANDOM CHARACTERS].sys
    15 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dat
    16 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].db
    17 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dll
    18 C:\WINDOWS\system32\uacinit.dll
    19 C:\WINDOWS\system32\uactmp.db
    20 C:\WINDOWS\Temp\_VOID[RANDOM CHARACTERS]tmp
    21 C:\WINDOWS\Temp\UAC[RANDOM CHARACTERS].tmp

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID[RANDOM CHARACTERS]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
Loading...