Home Malware Programs Rootkits TDSS.d!men


Posted: August 12, 2011

TDSS.d!men is an advanced variation on previous rootkits that can be configured to perform a broad range of attacks on your PC. Because TDSS.d!men and similar rootkits use sophisticated tactics to avoid being detected, only an extremely powerful and well-updated anti-malware program is capable of finding or removing TDSS.d!men. TDSS.d!men may be used to install other harmful programs onto your computer, including Trojans, spyware, browser hijackers, viruses and worms, to name a few possibilities. Be particularly careful about making sure TDSS.d!men is completely eradicated when you're trying to remove TDSS.d!men with appropriate software, since TDSS.d!men may have multiple components and will hide itself deeply in your system.

A Look Through TDSS.d!men's Sordid History

TDSS.d!men comes from a long line of particularly sophisticated rootkits that can be instructed for general-purpose attacks on your computer's security and privacy. The TDSS.d!men family started with the original TDSS Rootkit, which went through variations, such as TDL2 Rootkit and TDL3 Rootkit, before settling on its most recent upgrade, TDSS.d!men. Because these rootkits are built to use multiple components, different parts of a TDSS.d!men or similar rootkit infection can be identified by slightly different labels. Some prominent TDSS.d!men components that SpywareRemove.com malware analysts have found include Virus:Win32/Alureon.H, Virus:Win32/Alureon.DN and the Google Redirect Virus.

TDSS.d!men is an opportunist that doesn't use an explicitly-defined means of infecting your PC; instead, TDSS.d!men and related Trojans may attack by multiple methods. These methods include drive-by-download scripts, fake codecs and media updates and bundles with programs that are distributed on P2P networks and criminal software websites.

The Corrupt System Boot That TDSS.d!men Wants You to Use

TDSS.d!men's most defining trait is its tendency to contaminate the Master Boot Record or MBR. This allows TDSS.d!mento avoid detection by less-advanced anti-malware programs, as well as lets TDSS.d!men launch itself and take action without requiring you to do anything to trigger TDSS.d!men's attacks. The following is a list of what SpywareRemove.com malware research team has found to be some of the most well-used attacks for TDSS.d!men and other rootkits in its family:

  • Browser hijacks. Hijacker components of TDSS.d!men may change your homepage, redirect you to harmful websites or display fake errors that block benign websites.
  • Security attacks. You may discover that your network ports have been opened, that your firewall is making exceptions for unusual programs or that you're unable to run various types of security-related programs, including anti-virus scanners.
  • The installation of other malicious software, particularly rogue security programs like Kaspersky Internet Security 2011 Enhanced Protection Mode, WolfRam AntiVirus, Windows Salvage System, Best Antivirus and Antivirus Antimalware 2011.

In addition to your having appropriate software for removing TDSS.d!men, it's also important to use the correct scanning procedures. SpywareRemove.com malware analysts take pains to stress that any system scan that bypasses or ignores the Master Boot Record (as is the case with most 'quick scan' options, for example) will not remove all of the TDSS.d!men rootkit. Because TDSS.d!men is also a very recently-defined PC threat as of August 2011, having the latest updates for your anti-malware software is also a vital step to getting rid of TDSS.d!men infestations.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%UserProfile%\804127477.exe File name: %UserProfile%\804127477.exe
File type: Executable File
Mime Type: unknown/exe
%UserProfile%\r File name: %UserProfile%\r
%AppData%\Ncxaxn.exe File name: %AppData%\Ncxaxn.exe
File type: Executable File
Mime Type: unknown/exe

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\PchSvc] DataCollection =[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] 804127477 = "%UserProfile%\804127477.exe"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent] (Default) =[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent] (Default) =