Rootkit.TDSS
Posted: April 3, 2009
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 934 |
| First Seen: | November 30, 2010 |
|---|---|
| OS(es) Affected: | Windows |
Rootkit.TDSS is a generic label for any one of many types of TDSS rootkit (also known as Alureon Trojans or Tidserv Trojans and associated with DNS Changer) components to create serious security violations in an infected PC. As a rootkit, Rootkit.TDSS uses especially-advanced features to conceal itself and protect itself from deletion, and some variants of Rootkit.TDSS may even be able to run in Safe Mode. Regardless of which variants of Rootkit.TDSS are attacking your PC, SpywareRemove.com malware researchers have found that all types of Rootkit.TDSS infections are dangerous security attacks that can be involved in theft of private information, browser hijacks, the installation of additional types of PC threats, Distributed-Denial-of-Service attacks and other forms of criminal control over your computer. You should use powerful and up-to-date anti-malware programs to find and remove Rootkit.TDSS, since manual detection or deletion of Rootkit.TDSS is, at best, an unlikely and last resort.
Why You Will Not See Rootkit.TDSS... Unless You Have a Little Outside Help
Even though all rootkits are known for using stealth-related features, Rootkit.TDSS family rootkits are especially-infamous for their advanced structures that allow them to avoid being noticed unless caught by appropriate security software. Variants of Rootkit.TDSS infections have been known to use memory-injection techniques to hide their activities inside of normal system processes, hide themselves as malicious drivers, hide themselves as .dll files and even scatter their components in a semi-random fashion throughout a hard drive. In most cases, a single Rootkit.TDSS will be accompanied by other Rootkit.TDSS files that serve different functions (such as loading additional TDSS components or causing specific attacks like browser redirects).
Because Rootkit.TDSS is a generic label that can apply to many types of TDSS files, you may also see Rootkit.TDSS identified by a huge range of aliases that are dependent on the type of anti-malware scanner that you use to detect Rootkit.TDSS. A few examples of some of the many TDSS components that SpywareRemove.com malware experts have seen include BackDoor.Tdss.5070, BOO/Tdss.M, TDSS.e!rootkit, Rootkit TDSS.d and TDSS.d!men. Unless you've taken extra steps to stop Rootkit.TDSS from being loaded, you should assume that Rootkit.TDSS is active on your PC, even if Rootkit.TDSS doesn't show a distinct memory process or file.
Some of the Endless Heads of the Rootkit.TDSS Hydra
Attacks based on a Rootkit.TDSS infection can take a nearly infinite range of forms, given Rootkit.TDSS's ability to update its behavior based on instructions from a command server. Nonetheless, SpywareRemove.com malware researchers have found that some of Rootkit.TDSS's most common uses and behaviors include:
- Web browser redirects to malicious sites. These sites can include phishing sites that try to steal private information or sites that install harmful software via drive-by-download scripts.
- Software-blocking behavior that prevents you from using other programs. Programs that are most-likely to be targeted by these Rootkit.TDSS attacks are those that could help you remove Rootkit.TDSS (such as anti-malware applications). In such instances, you may need to rename the program file or disable Rootkit.TDSS before you can access software that will delete Rootkit.TDSS in a safe manner.
- The installation of other types of harmful software that may or may not be obviously-visible. This can extend to keyloggers, Trojan droppers, worms or rogue security programs.
Aliases
More aliases (101)
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%WINDIR%\PRAGMAxtcorpftkp\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.73 KB (52736 bytes)
MD5: 4fc1255817092de5c285440cf477035e
Detection count: 230
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAxtcorpftkp
Group: Malware file
Last Updated: November 30, 2010
%WINDIR%\PRAGMAixjipouowq\PRAGMAd.sys
File name: PRAGMAd.sysSize: 44.54 KB (44544 bytes)
MD5: 4a2dccdd2a14acce0dc2bcfc01b01b15
Detection count: 108
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAixjipouowq
Group: Malware file
Last Updated: December 9, 2010
%WINDIR%\PRAGMAydxtdcaetm\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.73 KB (52736 bytes)
MD5: f4c09fd7833565264f8feb1349a558a1
Detection count: 93
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAydxtdcaetm
Group: Malware file
Last Updated: December 7, 2010
%WINDIR%\System32\drivers\_VOIDhrotxiltat.sys
File name: _VOIDhrotxiltat.sysSize: 42.49 KB (42496 bytes)
MD5: 89b56f6143f7c1ad44cd10f46700b9da
Detection count: 31
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\System32\drivers
Group: Malware file
Last Updated: October 14, 2011
%WINDIR%\PRAGMAxnsvrxcpxx\PRAGMAd.sys
File name: PRAGMAd.sysSize: 45.05 KB (45056 bytes)
MD5: 4a672d94142ea8056ff589377fb8339b
Detection count: 23
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAxnsvrxcpxx
Group: Malware file
Last Updated: December 8, 2010
%WINDIR%\PRAGMAvnmxjnvxei\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.73 KB (52736 bytes)
MD5: 0d72febb1914c0d7a379b9cc2f6bb8ff
Detection count: 23
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAvnmxjnvxei
Group: Malware file
Last Updated: December 7, 2010
%WINDIR%\PRAGMApibcjxomti\PRAGMAd.sys
File name: PRAGMAd.sysSize: 44.54 KB (44544 bytes)
MD5: a3f92e9bf557198dc39d4045d2ec2144
Detection count: 19
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMApibcjxomti
Group: Malware file
Last Updated: December 9, 2010
%WINDIR%\PRAGMApvqvprupfd\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.22 KB (52224 bytes)
MD5: 0aeb71ef75d921539e6e02dfa2c12e08
Detection count: 19
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMApvqvprupfd
Group: Malware file
Last Updated: December 7, 2010
%WINDIR%\system32\tcppid.sys
File name: tcppid.sysSize: 2.3 KB (2304 bytes)
MD5: c72311b8d604a3e3e9b36df733f30843
Detection count: 16
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\system32
Group: Malware file
Last Updated: December 8, 2010
%WINDIR%\PRAGMApmbiquqdri\PRAGMAd.sys
File name: PRAGMAd.sysSize: 44.54 KB (44544 bytes)
MD5: 184110fe4f5c6a4416b9decee90a2d9f
Detection count: 14
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMApmbiquqdri
Group: Malware file
Last Updated: December 8, 2010
%WINDIR%\system32\isaxbox.sys
File name: isaxbox.sysSize: 2.3 KB (2304 bytes)
MD5: 5a7eef7dcdae6912afe7f50983d5520f
Detection count: 12
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\system32
Group: Malware file
Last Updated: December 8, 2010
%WINDIR%\PRAGMApornnkiniw\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.73 KB (52736 bytes)
MD5: c907276d48943001a4745b6d4e254c13
Detection count: 7
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMApornnkiniw
Group: Malware file
Last Updated: December 7, 2010
%WINDIR%\PRAGMAnnospwidri\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.22 KB (52224 bytes)
MD5: 9d39fe1b36199d5717cae14ed3680e67
Detection count: 7
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAnnospwidri
Group: Malware file
Last Updated: December 6, 2010
%WINDIR%\PRAGMAvidnlqenxr\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.22 KB (52224 bytes)
MD5: e671ab67d233cb4e87b1b679a92a0ed0
Detection count: 5
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAvidnlqenxr
Group: Malware file
Last Updated: January 5, 2011
%WINDIR%\PRAGMAhxbqfgeixn\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.73 KB (52736 bytes)
MD5: b52194d21487e3cf2178950228552ac5
Detection count: 5
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAhxbqfgeixn
Group: Malware file
Last Updated: December 7, 2010
%WINDIR%\PRAGMAqvtiqrnstb\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.22 KB (52224 bytes)
MD5: aca6e953ff8d2f536fd1d297e0486734
Detection count: 5
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAqvtiqrnstb
Group: Malware file
Last Updated: December 7, 2010
%WINDIR%\PRAGMAqvcxtabdmb\PRAGMAd.sys
File name: PRAGMAd.sysSize: 52.22 KB (52224 bytes)
MD5: 2b5b356793a655697edd8c58b2964fe2
Detection count: 5
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAqvcxtabdmb
Group: Malware file
Last Updated: December 7, 2010
C:\WINDOWS\system32\UAC[RANDOM].dat
File name: C:\WINDOWS\system32\UAC[RANDOM].datFile type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\system32\UAC[RANDOM].dll
File name: C:\WINDOWS\system32\UAC[RANDOM].dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\UAC[RANDOM].db
File name: C:\WINDOWS\system32\UAC[RANDOM].dbMime Type: unknown/db
Group: Malware file
C:\WINDOWS\_VOID[RANDOM]\
File name: C:\WINDOWS\_VOID[RANDOM]\Group: Malware file
C:\WINDOWS\_VOID[RANDOM]\_VOIDd.sys
File name: C:\WINDOWS\_VOID[RANDOM]\_VOIDd.sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\_VOID[RANDOM].dll
File name: C:\WINDOWS\system32\_VOID[RANDOM].dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\_VOID[RANDOM].dat
File name: C:\WINDOWS\system32\_VOID[RANDOM].datFile type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\system32\uacinit.dll
File name: C:\WINDOWS\system32\uacinit.dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\uactmp.db
File name: C:\WINDOWS\system32\uactmp.dbMime Type: unknown/db
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
File name: C:\WINDOWS\SYSTEM32\4DW4R3sv.datFile type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3c.dll
File name: C:\WINDOWS\SYSTEM32\4DW4R3c.dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM].dll
File name: C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM].dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
File name: C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM].sys
File name: C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM].sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\drivers\_VOID[RANDOM].sys
File name: C:\WINDOWS\system32\drivers\_VOID[RANDOM].sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\drivers\UAC[RANDOM].sys
File name: C:\WINDOWS\system32\drivers\UAC[RANDOM].sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\Temp\_VOID[RANDOM]tmp
File name: C:\WINDOWS\Temp\_VOID[RANDOM]tmpGroup: Malware file
C:\WINDOWS\Temp\UAC[RANDOM].tmp
File name: C:\WINDOWS\Temp\UAC[RANDOM].tmpFile type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%Temp%\_VOID[RANDOM].tmp
File name: %Temp%\_VOID[RANDOM].tmpFile type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%Temp%\UAC[RANDOM].tmp
File name: %Temp%\UAC[RANDOM].tmpFile type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
C:\Documents and Settings\<username>\Application Data\_VOIDmainqt.dll
File name: C:\Documents and Settings\<username>\Application Data\_VOIDmainqt.dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Agreed Chester.If the FBI are continuing to run these DNS servres, presumably they are recording the IP addresses of computers issuing incoming DNS requests. I also assume that any computers using US Government IP addresses have already been de-loused. How about either informing the ISPs issuing those IP addresses or posting those IP addresses on the net?I like the suggestion made by Michael S but suspect that most people will not understand that the page is genuine. It would look like a new form of false Anti-Virus.