TDSS Rootkit

Posted: July 19, 2011

TDSS Rootkit Description

TDSS Rootkit is a rootkit that makes use of multiple Trojans that generate revenue for criminals in a variety of ways. These cash-generating methods invariably cause harm to your computer by hijacking your browser, altering online content, changing your system settings, installing hostile programs, creating advertisements and infecting crucial Windows files. Although different types of TDSS Rootkit infections may exhibit slightly different behavior, all types of TDSS Rootkit attackers are extremely dangerous, and most will consist of multiple subtypes of Trojans and other threatening programs. As is the case with all rootkits, removing TDSS Rootkit or even detecting TDSS Rootkit is extremely difficult and may require help from high-quality threat-removal software.

Meeting the Whole TDSS Rootkit Family

As a multi-component infection, TDSS Rootkit attacks will use many different types of Trojans to create many attacks on your PC, although almost all of these attacks have the motive of generating money. For example:

  • Google Redirect Virus is a TDSS Rootkit component that hijacks your browser and redirects you to risky websites, after you've click on a Google search result.
  • Virus:Win32/Alureon.H is a driver that's been infected by TDSS Rootkit. Virus:Win32/Alureon.H is responsible for loading the primary TDSS Rootkit code, which is scattered randomly around your hard drive. TDSS Rootkit, once loaded, will conceal both itself and the Virus:Win32/Alureon.H driver infection.
  • Trojan:Win32/Alureon.DN is a .dll file that TDSS Rootkit uses to alter online content. TDSS Rootkit does this by injecting malicious code into innocent HTML.

What You Can Do to Kick Out the TDSS Rootkit Gang

Although the full list of TDSS Rootkit components is far too long to enumerate fully, you can assume that any TDSS Rootkit infection is engaged in multiple attacks on your computer with multiple types of Trojans at any given time. Other problems that are associated with TDSS Rootkit include browser hijacks that redirect you to hostile websites, advertisement pop-ups, the appearance of a security backdoor (by way of opened network ports and altered firewall settings), altered Domain Name System (DNS) settings and the appearance of unfamiliar programs on your computer.

All types of TDSS Rootkit infections are extremely difficult to remove. Even if you think you've deleted TDSS Rootkit during a system scan, a reboot may reveal that TDSS Rootkit was never really deleted at all. Temporarily disabling System Restore may be necessary as part of the TDSS Rootkit removal process, and rootkits like TDSS Rootkit have been known to persist even in Safe Mode.

Despite the difficulty of deleting TDSS Rootkit, allowing TDSS Rootkit or any of its individual components to remain on your PC is extremely dangerous. Ignoring the threat that TDSS Rootkit presents can not only be a source of other infections but may also allow remote criminals to exert direct control over your PC.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %Temp%\_VOID[RANDOM CHARACTERS].tmp
    2 %Temp%\UAC[RANDOM CHARACTERS].tmp
    3 C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
    4 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\
    5 C:\WINDOWS\_VOID[RANDOM CHARACTERS]\_VOIDd.sys
    6 C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM CHARACTERS].dll
    7 C:\WINDOWS\SYSTEM32\4DW4R3c.dll
    8 C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
    9 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dat
    10 C:\WINDOWS\system32\_VOID[RANDOM CHARACTERS].dll
    11 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
    12 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM CHARACTERS].sys
    13 C:\WINDOWS\system32\drivers\_VOID[RANDOM CHARACTERS].sys
    14 C:\WINDOWS\system32\drivers\UAC[RANDOM CHARACTERS].sys
    15 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dat
    16 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].db
    17 C:\WINDOWS\system32\UAC[RANDOM CHARACTERS].dll
    18 C:\WINDOWS\system32\uacinit.dll
    19 C:\WINDOWS\system32\uactmp.db
    20 C:\WINDOWS\Temp\_VOID[RANDOM CHARACTERS]tmp
    21 C:\WINDOWS\Temp\UAC[RANDOM CHARACTERS].tmp

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID[RANDOM CHARACTERS]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to TDSS Rootkit may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.