Threat Information for "TDSS Rootkit"

Removal Top

StopSign will automatically remove this infection with a paid membership.

Summary Top
  • Name: TDSS Rootkit
  • Aliases:
  • Date Discovered: 2009-04-02
  • Protection Added: 2009-04-02
Description Top
-- Ease of Removal

1: Runs as a service
2: Injects DLLs into running processes
3: Uses redundant/watcher processes
4: Hides running processes
5: Hides files
6: Hides registry entries
7: Uses rootkit functionality
8: Consistently named
9: Consistent file contents
10: Creates new registry entries with consistent data

-- Privacy Risks/Security Changes

1: Disables security software
2: Disables administrator tools
3: Logs browsing habits and visited websites
4: Mimics legitimate file names

-- Damage/Intrusion/Annoyance

1: Changes browser search settings
2: Displays targeted popup advertisements
3: Silently modifies other programs' information or website content as displayed
4: Significantly slows down the computer
5: Autoruns at startup without an option to be disabled
6: Creates new files

-- Propagation/Saturation

1: Infects from a link in an email
2: Infects from an email attachment
3: Infects with other exploitation method
4: Installed by other infections
Technical Details Top
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\tdss*.*
  • Added Directory/File:
    FilePath: %TEMPDIR%\tdss*.*
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_abp470n5
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\abp470n5