TROJ_TDSS.WIN

When executed, it connects to servers to receive commands from the remote user. It also attempts to hide its component files by writing specific files at the end of the infected system's hard disk. Trend Micro detects some of these files as BKDR_TDSS.WIM and TROJ_TDSS.WIM. As a result, routines of this backdoor and Trojan are also exhibited on the infected system.

Installation

This Trojan drops the following copies of itself into the affected system:

• %User Temp%\{random}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following files:

• %User Temp%\{temporary file name}.tmp - detected as BKDR_TDSS.WIM

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It injects codes into the following process(es):

• SPOOLSV.EXE

NOTES:

Payloads

This Trojan may connect to the following servers where it receives task from a remote malicious user:

• http://{BLOCKED}1kf-a.com/
• http://{BLOCKED}-acom.com/
• http://{BLOCKED}apcell.com/
• http://{BLOCKED}1come.com/
• http://{BLOCKED}otcom.com/
• https://{BLOCKED}agcla.com/
• https://{BLOCKED}mak01.com/
• https://{BLOCKED}akq8x.com/

To hide its component files, it writes the following files at the end of the hard disk:

• \\?\globalroot\{random}\bckfg.tmp
• \\?\globalroot\{random}\cfg.ini
• \\?\globalroot\{random}\cmd.dll - detected as TROJ_TDSS.WIM
• \\?\globalroot\{random}\drv32 - detected as BKDR_TDSS.WIM
• \\?\globalroot\{random}\drv64 - detected as BKDR_TDSS.WIM
• \\?\globalroot\{random}\ldr16M
• \\?\globalroot\{random}\ldr32
• \\?\globalroot\{random}\ldr64
• \\?\globalroot\{random}\mbr