Home Malware Programs Trojans Rootkit.TDSS

Rootkit.TDSS

Posted: April 3, 2009

Threat Metric

Threat Level: 8/10
Infected PCs: 934
First Seen: November 30, 2010
OS(es) Affected: Windows

Rootkit.TDSS is a generic label for any one of many types of TDSS rootkit (also known as Alureon Trojans or Tidserv Trojans and associated with DNS Changer) components to create serious security violations in an infected PC. As a rootkit, Rootkit.TDSS uses especially-advanced features to conceal itself and protect itself from deletion, and some variants of Rootkit.TDSS may even be able to run in Safe Mode. Regardless of which variants of Rootkit.TDSS are attacking your PC, SpywareRemove.com malware researchers have found that all types of Rootkit.TDSS infections are dangerous security attacks that can be involved in theft of private information, browser hijacks, the installation of additional types of PC threats, Distributed-Denial-of-Service attacks and other forms of criminal control over your computer. You should use powerful and up-to-date anti-malware programs to find and remove Rootkit.TDSS, since manual detection or deletion of Rootkit.TDSS is, at best, an unlikely and last resort.

Why You Will Not See Rootkit.TDSS... Unless You Have a Little Outside Help

 Even though all rootkits are known for using stealth-related features, Rootkit.TDSS family rootkits are especially-infamous for their advanced structures that allow them to avoid being noticed unless caught by appropriate security software. Variants of Rootkit.TDSS infections have been known to use memory-injection techniques to hide their activities inside of normal system processes, hide themselves as malicious drivers, hide themselves as .dll files and even scatter their components in a semi-random fashion throughout a hard drive. In most cases, a single Rootkit.TDSS will be accompanied by other Rootkit.TDSS files that serve different functions (such as loading additional TDSS components or causing specific attacks like browser redirects).
 
Because Rootkit.TDSS is a generic label that can apply to many types of TDSS files, you may also see Rootkit.TDSS identified by a huge range of aliases that are dependent on the type of anti-malware scanner that you use to detect Rootkit.TDSS. A few examples of some of the many TDSS components that SpywareRemove.com malware experts have seen include BackDoor.Tdss.5070, BOO/Tdss.M, TDSS.e!rootkit, Rootkit TDSS.d and TDSS.d!men. Unless you've taken extra steps to stop Rootkit.TDSS from being loaded, you should assume that Rootkit.TDSS is active on your PC, even if Rootkit.TDSS doesn't show a distinct memory process or file.
 

Some of the Endless Heads of the Rootkit.TDSS Hydra

 Attacks based on a Rootkit.TDSS infection can take a nearly infinite range of forms, given Rootkit.TDSS's ability to update its behavior based on instructions from a command server. Nonetheless, SpywareRemove.com malware researchers have found that some of Rootkit.TDSS's most common uses and behaviors include:

  • Web browser redirects to malicious sites. These sites can include phishing sites that try to steal private information or sites that install harmful software via drive-by-download scripts.
  • Software-blocking behavior that prevents you from using other programs. Programs that are most-likely to be targeted by these Rootkit.TDSS attacks are those that could help you remove Rootkit.TDSS (such as anti-malware applications). In such instances, you may need to rename the program file or disable Rootkit.TDSS before you can access software that will delete Rootkit.TDSS in a safe manner.
  • The installation of other types of harmful software that may or may not be obviously-visible. This can extend to keyloggers, Trojan droppers, worms or rogue security programs.

Aliases

Generic Trojan [Panda]Generic16.BRWH [AVG]Hacktool.Rootkit [Symantec]Mal/Generic-A [Sophos]BKDR_TIDIES.SMA [TrendMicro]TR/Agent.42496.27 [AntiVir]Trojan.Generic.3238155 [BitDefender]Win32:Jifas-DT [Avast]a variant of Win32/Olmarik.SR [NOD32]Trojan.Agent.ATV [CAT-QuickHeal]DNSChanger!dd [McAfee+Artemis]Win32/ASuspect.HGOJO [eTrust-Vet]TR/Crypt.XPACK.Gen3 [AntiVir]Win32/Olmarik.XH [NOD32]Win32:Rootkit-gen [Avast]
More aliases (101)

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Rootkit.TDSS may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%WINDIR%\PRAGMAxtcorpftkp\PRAGMAd.sys File name: PRAGMAd.sys
Size: 52.73 KB (52736 bytes)
MD5: 4fc1255817092de5c285440cf477035e
Detection count: 230
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\PRAGMAxtcorpftkp\
Group: Malware file
Last Updated: November 30, 2010
%WINDIR%\System32\drivers\_VOIDhrotxiltat.sys File name: _VOIDhrotxiltat.sys
Size: 42.49 KB (42496 bytes)
MD5: 89b56f6143f7c1ad44cd10f46700b9da
Detection count: 31
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\System32\drivers\
Group: Malware file
Last Updated: October 14, 2011
%WINDIR%\system32\tcppid.sys File name: tcppid.sys
Size: 2.3 KB (2304 bytes)
MD5: c72311b8d604a3e3e9b36df733f30843
Detection count: 16
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\system32\
Group: Malware file
Last Updated: December 8, 2010
%WINDIR%\system32\isaxbox.sys File name: isaxbox.sys
Size: 2.3 KB (2304 bytes)
MD5: 5a7eef7dcdae6912afe7f50983d5520f
Detection count: 12
File type: System file
Mime Type: unknown/sys
Path: %WINDIR%\system32\
Group: Malware file
Last Updated: December 8, 2010
C:\WINDOWS\system32\UAC[RANDOM].dat File name: C:\WINDOWS\system32\UAC[RANDOM].dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\system32\UAC[RANDOM].dll File name: C:\WINDOWS\system32\UAC[RANDOM].dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\UAC[RANDOM].db File name: C:\WINDOWS\system32\UAC[RANDOM].db
Mime Type: unknown/db
Group: Malware file
C:\WINDOWS\_VOID[RANDOM]\ File name: C:\WINDOWS\_VOID[RANDOM]\
Group: Malware file
C:\WINDOWS\_VOID[RANDOM]\_VOIDd.sys File name: C:\WINDOWS\_VOID[RANDOM]\_VOIDd.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\_VOID[RANDOM].dll File name: C:\WINDOWS\system32\_VOID[RANDOM].dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\_VOID[RANDOM].dat File name: C:\WINDOWS\system32\_VOID[RANDOM].dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\system32\uacinit.dll File name: C:\WINDOWS\system32\uacinit.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\uactmp.db File name: C:\WINDOWS\system32\uactmp.db
Mime Type: unknown/db
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat File name: C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3c.dll File name: C:\WINDOWS\SYSTEM32\4DW4R3c.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM].dll File name: C:\WINDOWS\SYSTEM32\4DW4R3[RANDOM].dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys File name: C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM].sys File name: C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3[RANDOM].sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\drivers\_VOID[RANDOM].sys File name: C:\WINDOWS\system32\drivers\_VOID[RANDOM].sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\drivers\UAC[RANDOM].sys File name: C:\WINDOWS\system32\drivers\UAC[RANDOM].sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\Temp\_VOID[RANDOM]tmp File name: C:\WINDOWS\Temp\_VOID[RANDOM]tmp
Group: Malware file
C:\WINDOWS\Temp\UAC[RANDOM].tmp File name: C:\WINDOWS\Temp\UAC[RANDOM].tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%Temp%\_VOID[RANDOM].tmp File name: %Temp%\_VOID[RANDOM].tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%Temp%\UAC[RANDOM].tmp File name: %Temp%\UAC[RANDOM].tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll File name: C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

More files

Related Posts

One Comment

  • Santhosh says:

    Agreed Chester.If the FBI are continuing to run these DNS servres, presumably they are recording the IP addresses of computers issuing incoming DNS requests. I also assume that any computers using US Government IP addresses have already been de-loused. How about either informing the ISPs issuing those IP addresses or posting those IP addresses on the net?I like the suggestion made by Michael S but suspect that most people will not understand that the page is genuine. It would look like a new form of false Anti-Virus.