TDL3 Rootkit

Posted: July 19, 2011

TDL3 Rootkit Description

TDL3 Rootkit is a variant of the well-known TDSS Rootkit infection that has spread through millions of computers worldwide and uses multiple components and sophisticated stealth defenses. TDL3 Rootkit has these traits in common with the original TDSS Rootkit and will manifest TDL3 Rootkit's attacks in the form of search result hijacks, BSODs (Blue Screens of Death, AKA blue error screens) and a slowdown of system performance. Rootkit infections similar to TDL3 Rootkit are also known sources of security issues that can result in remote attacks and other criminal actions against your computer. As one of the newer versions of a notoriously difficult-to-remove rootkit, TDL3 Rootkit should only be removed by highly-sophisticated security software that can handle such deep-rooted threats to your PC.

How TDL3 Rootkit Defeats Your Typical Anti-Virus Software

TDL3 Rootkit is named for being the third version of the old TDSS Rootkit that's still circulating the Internet in large quantities to this very day. Tens of thousands of computers already have been reported as infected by TDL3 Rootkit despite the fact that almost two-thirds of them have used fully-updated anti-virus software.

This troubling development is made possible by rootkit-based techniques that allow TDL3 Rootkit to infect the Master Boot Record kernel or other deeply-buried parts of the Windows operating system. A TDL3 Rootkit infection, like all rootkits, will not create independent memory processes that you can see in Task Manager, and may not even create visible files or folders.

Most TDL3 Rootkit infections have a preference for infecting system drivers. If your security software scans your computer and displays a large list of infected .sys files, you may have TDL3 Rootkit or a similar rootkit infection. Insufficiently advanced anti-virus software, however, aren't likely to detect TDL3 Rootkit at all.

Perhaps the most troubled aspect of a TDL3 Rootkit infection is the fact that it can cause the now-rare Blue Screen of Death errors to appear once again. This is the result of an old Windows patch interacting poorly with TDL3 Rootkit. However, Microsoft has since yanked the patch off of their database until the problem is solved, so you don't need to worry about BSODing your computer by accident. This BSOD will appear whenever Windows tries to load, and only a separate Windows boot CD will let you bypass it to remove TDL3 Rootkit.

Be Ready for TDL3 Rootkit's Mad Rush for Your Online Search Results

The main sign of any TDL3 Rootkit infection is a browser hijack that redirects you to unfamiliar websites. In some cases, TDL3 Rootkit may wait until you've clicked a search engine link, before redirecting you to a totally different destination. Typing in the URL may not avoid TDL3 Rootkit's redirection technique since TDL3 Rootkit has also been reported to use DNS-based hijacks.

This type of attack can also be seen in TDL3 Rootkit's ancestors like TDSS Rootkit and in related components like the Google Redirect Virus. However, TDL3 Rootkit has other symptoms that you may be able to use to single it out:

  • TDL3 Rootkit will actively prevent you from visiting websites that are related to PC security. TDL3 Rootkit may redirect you away from these websites automatically or create a fake error screen that blocks the website's content.
  • Your web browser will suffer in performance and speed due to TDL3 Rootkit's hijack-related activities. Some other versions of the same rootkit have also been reported to cause a random loss of keyboard input within the browser.
  • Most worryingly, TDL3 Rootkit will attempt to block you from using any program that's on its blacklist. These programs include security tools and anti-virus software that could be used to detect or delete TDL3 Rootkit.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %Temp%\_VOID[RANDOM CHARACTERS].tmp
    2 %Temp%\UAC[RANDOM CHARACTERS].tmp
    3 C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
    4 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\
    5 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\_VOIDd.sys
    6 C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM CHARACTERS].dll
    7 C:\WINDOWS\SYSTEM32\4DW4R3c.dll
    8 C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
    9 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dat
    10 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dll
    11 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
    12 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM CHARACTERS].sys
    13 C:\WINDOWS\system32\drivers\_VOID[RANDOM CHARACTERS].sys
    14 C:\WINDOWS\system32\drivers\UAC[RANDOM CHARACTERS].sys
    15 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dat
    16 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].db
    17 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dll
    18 C:\WINDOWS\system32\uacinit.dll
    19 C:\WINDOWS\system32\uactmp.db
    20 C:\WINDOWS\Temp\_VOID[RANDOM CHARACTERS]tmp
    21 C:\WINDOWS\Temp\UAC[RANDOM CHARACTERS].tmp

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID[RANDOM CHARACTERS]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to TDL3 Rootkit may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.