Threat Information for "TDSS Rootkit"

StopSign will automatically remove this infection with a paid membership.

• Name: TDSS Rootkit
• Aliases:
• Date Discovered: 2009-04-02
• Protection Added: 2009-04-02

-- Ease of Removal

1: Runs as a service
2: Injects DLLs into running processes
3: Uses redundant/watcher processes
4: Hides running processes
5: Hides files
6: Hides registry entries
7: Uses rootkit functionality
8: Consistently named
9: Consistent file contents
10: Creates new registry entries with consistent data

-- Privacy Risks/Security Changes

1: Disables security software
2: Disables administrator tools
3: Logs browsing habits and visited websites
4: Mimics legitimate file names

-- Damage/Intrusion/Annoyance

1: Changes browser search settings
2: Displays targeted popup advertisements
3: Silently modifies other programs' information or website content as displayed
4: Significantly slows down the computer
5: Autoruns at startup without an option to be disabled
6: Creates new files

-- Propagation/Saturation

1: Infects from a link in an email
2: Infects from an email attachment
3: Infects with other exploitation method
4: Installed by other infections

• Added Directory/File:
  FilePath: %SYSTEMDIR%\tdss*.*
• Added Directory/File:
  FilePath: %TEMPDIR%\tdss*.*
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Services\abp470n5
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_abp470n5
• Added Registry Key:
  Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
• Added Registry Key:
  Key: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys