Home Malware Programs Backdoors Backdoor.Tidserv


Posted: June 23, 2009

Backdoor.Tidserv, also known as Alureon or the TDSS rootkit, is a family of backdoor Trojans and rootkits that can attack your PC to various ends, including stealing private information or installing fake security programs (two common payloads associated with Backdoor.Tidserv attacks). Like all rootkits, Backdoor.Tidserv or TDSS compromises your operating system by infecting baseline system files and attempts to conceal its presence from both visual detection and anti-malware programs. Because Backdoor.Tidserv is a flexible and high-level threat that can be used to launch multiple types of payloads, SpywareRemove.com malware experts suggest scanning your PC thoroughly to remove Backdoor.Tidserv and any additional program that may have been installed without your consent.

Backdoor.Tidserv – the Tiny Hole in Your PC Security That Can Have a Multitude of Consequences

Backdoor.Tidserv is a widely-distributed Trojan that can be contacted via malicious e-mail spam, hostile sites or even links from instant messaging bots. Popular aliases for Backdoor.Tidserv, depending on the type of anti-malware program that detects Backdoor.Tidserv, include Win32/Alureon, BKDR_TDSS, Backdoor:W32/TDSS, Packed.Win32.TDSS, TR/Dldr.DNSChanger, Trojan-Dropper.Win32.TDSS and Trojan.Zlob, among other possibilities. Some variants of Backdoor.Tidserv may alter your Domain Name System settings to redirect your web browser to malware-laced websites, hence the common moniker of DNS Changer. Similarly, Zlob is often used to refer to variants of Backdoor.Tidserv that download other types of malicious software whereas Alueron tends to be used for spyware-based Backdoor.Tidserv attacks, although, ultimately, any single Backdoor.Tidserv infection can be capable of all of the above attacks.

Backdoor.Tidserv was first widely-identified in 2008, but Backdoor.Tidserv attacks still enjoy significant distribution throughout the web, and SpywareRemove.com malware experts recommend that you protect your PC from common Backdoor.Tidserv-associated infection vectors (such as unusual e-mail file attachments and fake media updates). Systems that are vulnerable to Backdoor.Tidserv attacks include most versions of Windows, such as Windows 7, 2K, XP and Vista. Given Backdoor.Tidserv's foundation as a rootkit, if you suspect that Backdoor.Tidserv is on your PC, you should assume that Backdoor.Tidserv is active in memory (even if Backdoor.Tidserv doesn't display a visible memory process) until your anti-malware software can verify Backdoor.Tidserv's presence or lack thereof.

The Probable Tricks Up Backdoor.Tidserv's Voluminous Sleeves

As a rootkit, Backdoor.Tidserv will infect crucial OS components by default, and improper deletion of Backdoor.Tidserv can harm your operating system. While a complete list of Backdoor.Tidserv's potential attacks could be nearly limitless, some of the most meaningful risks that SpywareRemove.com malware researchers have associated with Backdoor.Tidserv include:

  • Theft of confidential information that's used to access accounts for bank websites and other online entities.
  • Web browser redirects to sites that promote various types of malicious software such as rogue security programs and adware.
  • The installation and subsequent concealment of other PC threats.
  • Attacks that use any of multiple methods to disable security-related programs.

In spite of these issues, there are appropriate anti-malware scanners that are capable of removing Backdoor.Tidserv, especially if Backdoor.Tidserv is first disabled (by booting from a removable device, for instance).

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %System%\TDSSadw.dll
    2 %System%\TDSSerrors.log
    3 %System%\TDSSinit.dll
    4 %System%\TDSSl.dll
    5 %System%\TDSSlog.
    6 %System%\TDSSlog.dll
    7 %System%\TDSSmain.dll
    8 %System%\TDSSpopup.dll
    9 %System%\TDSSpopup[RANDOM NUMBER].url
    10 %System%\TDSSservers.dat

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"affid" = "39"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata\"asubid" = "v2test7"HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"build" = "standart"HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"serversdown" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\TDSS\"type" = "popup"

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Backdoor.Tidserv may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Related Posts


  • Bob Guard says:

    I appear to have backdoor.tidserv on my laptop and have tried to download Spyhunter Malerware Scanner but am unable to do so. I have tried using Firefox as suggested but this does not appear to have any effect. The download cannot get past the 90% stage.
    Do you have any suggestions please

  • Karen Clark says:

    I'm wondering about a Re-Direct Virus.? My Spyware and Programs for Security say My computer is Clean, but is it, if I get re-directs, all the time?