Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

It is a component file of other BKDR_TDSS malware to hide its processes and files from the user. It is also responsible for ensuring that the Master Boot Record of the system is infected.

This Trojan may arrive bundled with malware packages as a malware component. It may be dropped by other malware. It may be dropped by other malware.

It is a component of other malware.

Its rootkit functionalities are used by other malware/grayware.

  TECHNICAL DETAILS

Tipo de compactação: 20,992 bytes
Tipo de arquivo: SYS
Residente na memória: Yes
Data de recebimento das amostras iniciais: 06 Apr 2011

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It may be dropped by other malware.

It may be dropped by the following malware:

  • BKDR_TDSS.KARU

Installation

This Trojan is a component of other malware.

Rootkit Capabilities

This Trojan s rootkit functionalities are used by other malware/grayware.

Other Details

This Trojan does the following:

  • Hides processes and files from the user. This malware is a component file of other BKDR_TDSS. This file has usually two versions, one for 32-bit and one for 64-bit systems. This file is also responsible for ensuring that the Master Boot Record of the system is infected.

  SOLUTION

Mecanismo de varredura mínima: 8.900
Primeiro arquivo padrão VSAPI: 7.956.14
Data do lançamento do primeiro padrão VSAPI: 08 Apr 2011
VSAPI OPR Pattern Version: 7.957.00
VSAPI OPR Pattern veröffentlicht am: 08 Apr 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by RTKT_TDSS.KARUD

Step 3

Scan your computer with your Trend Micro product to delete files detected as RTKT_TDSS.KARUD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.