|Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!|
TDSS trojan also known as Backdoor.Tidserv [PCTools], Backdoor.Tidserv.I!inf [Symantec], Rootkit.Win32.TDSS.y [Kaspersky Lab], Patched-SYSFile.a [McAfee], Mal/TDSSRt-A [Sophos], Virus:Win32/Alureon.F [Microsoft] is very dangerous. It installs onto your computer through a vulnerability in an already installed programs (mostly in InternetExplorer) or with the help of a rogue antispyware programs. Trojan TDSS uses rootkit-specific techniques designed to hide the software presence in the system. It is practically not detected by standard means Windows, you will not find its files on the disk, as well as writing about it in the Windows registry.
When installed, it will be configured to start automatically when Windows starts. While is running, TDSS (Backdoor.Tidserv, Alureon) trojan may:
- display a lot of popups and fake security alerts
- hijack Internet Explorer
- redirect search results in Google, Yahoo, MSN to non related sites
- block an access to security websites
- disable Windows Task Manager, Windows Security Center and Registry editor
McAfee have made free rootkit remover is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system.Free Software, Malware removal, Rootkit | 8 Comments |
Free Sophos Anti-Rootkit, finds and removes any rootkit that is hidden on your computer. Removing rootkits without compromising system integrity is particularly challenging and needs to be done with care.
Free Software, Rootkit | No Comments |
F-Secure reported Mailbot family that use hidden streams to hide themselves.
Let’s take Mailbot.AZ(aka Rustock.A) as an example.
Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named “services.exe”. The payload is a Spamtool with backdoor capabilities.
There’s only a single component lying on the disk, and that is a kernel-mode driver. It’s stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that’s not readily visible, it’s very likely that many security products will have a tough time dealing with this one.
F-Secure have just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.
To remove the infection, perform the following steps:
- Reboot your system using the Windows Recovery Console (using your Windows installation CD – click on the hyperlink for details).
- Copy a non-executable file from the Windows directory over the Alternate Data Stream.
For example, run the following command:
- copy c:\windows\win.ini c:\windows\system32:18467
Please note that the copy command will fail but the malicious file has actually been truncated to zero-length.June 23, 2006 on 9:21 am | In Rootkit | No Comments |
My Anti Spyware - Free antispyware programs and Spyware Removal Instructions.