- Threat Encyclopedia
- Malware
- BKDR_TDSS.ASH
Trojan-Dropper.Win32.TDSS.anzf (Kaspersky); Trojan horse Cryptic.CWA (AVG)
Windows 2000, Windows XP, Windows Server 2003
It monitors the browsing habits of the user and sends the information to certain URLs when certain strings are found in the Web address. It can also modify the search results returned by search engines to trick users into clicking malicious links, and/or displaying advertisements.
It modifies the Master Boot Record (MBR) of the affected system to enable itself to load before the Operating System boots up.
It writes files at the end of the hard disk to hide its component files.
This backdoor may be downloaded by other malware/grayware from remote sites.
It deletes registry entries, causing some applications and programs to not function properly.
It connects to a website to send and receive information.
It connects to certain websites to send and receive information.
147,968 bytes
EXE
26 May 2011
Modifies files, Connects to URLs/IPs
Arrival Details
This backdoor may be downloaded by the following malware/grayware from remote sites:
It may be downloaded from the following remote site(s):
Installation
This backdoor adds the following mutexes to ensure that only one of its copies runs at any one time:
Other System Modifications
This backdoor deletes the following files:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
67:UDP = "67:UDP:EnabledHCP Server"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\main\FeatureControl\
FEATURE_BROWSER_EMULATION
{executable name} = "{hex value}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
maxhttpredirects = "{hex value}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
enablehttp1_1 = "1"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
zones\3
1601 = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
zones\3
1400 = "0"
(Note: The default value data of the said registry entry is 0.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\International
acceptlanguage = "{local}"
(Note: The default value data of the said registry entry is {user defined}.)
It deletes the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpNameServer = "{Preferred DNS}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpDomain = "localdomain"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpNameServer = "{Preferred DNS}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpDefaultGateway = "{Default Gateway}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpDomain = "localdomain"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpSubnetMaskOpt = "{Subnet Mask}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Adapter ID}\Parameters\
Tcpip
DhcpDefaultGateway = "{Default Gateway}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Adapter ID}\Parameters\
Tcpip
DhcpSubnetMaskOpt = "{Subnet Mask}"
Backdoor Routine
This backdoor connects to the following websites to send and receive information:
Other Details
This backdoor connects to the following website to send and receive information:
NOTES:
It monitors the browsing habits of the user and sends the information to the mentioned URLs when the following strings are found in the Web address. It can also modify the search results returned by search engines to trick users into clicking malicious links, and/or displaying advertisements:
It modifies the Master Boot Record (MBR) of the affected system to enable itself to load before the Operating System boots up.
It writes the following files at the end of the hard disk to hide its component files:
8.900
8.182.06
26 May 2011
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Remove malware files dropped/downloaded by BKDR_TDSS.ASH
Step 3
Restore your system’s Master Boot Record (MBR)
To restore your system's Master Boot Record (MBR):
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 5
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 6
Scan your computer with your Trend Micro product to delete files detected as BKDR_TDSS.ASH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 7
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpNameServer = {Preferred DNS}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpDomain = localdomain
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpNameServer = {Preferred DNS}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpDefaultGateway = {Default Gateway}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpDomain = localdomain
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpSubnetMaskOpt = {Subnet Mask}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Adapter ID}\Parameters\
Tcpip
DhcpDefaultGateway = {Default Gateway}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Adapter ID}\Parameters\
Tcpip
DhcpSubnetMaskOpt = {Subnet Mask}