Content

TDSS.a!mem

Type
Trojan
SubType
Discovery Date
01/06/2010
Length
Minimum DAT
5853 (01/06/2010)
Updated DAT
5853 (01/06/2010)
Minimum Engine
5.2.00
Description Added
01/07/2010
Description Modified
01/12/2010 5:58 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This infection spreads through a dropper which when run drops the files in the last sectors of the hard disk, outside the file system.

This rootkit infects windows system drivers to ensure its loaded at startup .It examines the stack of devices which handles the hard drive’s I/O, to determine the driver to infect, atapi.sys if the machine uses IDE or iastor.sys if it is using the SATA interface. It then overwrites the 824 bytes of the resource section of any of these chosen files and creates a fake driver object to hijack every I/O operation.

The dropper, infected file and the malicious hooks are also detected as shown below:

 

Symptoms

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Rootkits are programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Generic RootKit.d is one of the generic detections for such class of malicious programs.

Characteristics

Characteristics -

This infection spreads through a dropper which when run drops the files in the last sectors of the hard disk, outside the file system.

This rootkit infects windows system drivers to ensure its loaded at startup .It examines the stack of devices which handles the hard drive’s I/O, to determine the driver to infect, atapi.sys if the machine uses IDE or iastor.sys if it is using the SATA interface. It then overwrites the 824 bytes of the resource section of any of these chosen files and creates a fake driver object to hijack every I/O operation.

The dropper, infected file and the malicious hooks are also detected as shown below:

 

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A