BackDoor.Tdss.565

4 November 2009 2 Comments

BackDoor.Tdss.565 is a Trojan that possesses a rootkit functionality to conceal itself from antivirus programs. BackDoor.Tdss.565 uses unfamiliar method of injection into a system process that that has never been put into action for several known virus. This Trojan will create a backdoor on infected computer that allows a remote attacker to gain unauthorized access.

Alias: TR/Patched.Gen, Packed.Win32.TDSS.z, TR/Crypt.ZPACK.Gen, Parser error, TR/PCK.Tdss.Z.2256, Trojan:Win32/Alureon.CT, Virus:Win32/Alureon.A, Packed.Win32.TDSS.z, Rootkit.Win32.TDSS.u, Generic.dx!fpw, TR/PCK.Tdss.Z.2341, Trojan:Win32/Alureon.CT, System error, TR/PCK.Tdss.Z.2318, TR/TDss.FL, TrojanDropper:Win32/Alureon.Q, TR/PCK.Tdss.Z.2333

Damage Level: High

Systems Affected: Windows 9x, 2000, XP, Windows Vista, Windows 7

Characteristics
The Trojan will embed its code into the system process once executed and uses the same process to temporary create the following service:

[HKLM\system\currentcontrolset\services\tdlserv] Imagepath=” \??\C:\DOCUME~1\\LOCALS~1\Temp\3.tmp”
Type=1

BackDoor.Tdss.565 also infects important files and system driver of the physical drive where Windows is installed. With its sophisticated rootkit technology, the Trojan effectively hides all changes it has made to the operating system.

The Trojan will gather information from infected computer like system version, language and Internet browser. This collected information will be sent to a control server  and used as basis for upgrading other modules of the Trojan.

Distribution
BackDoor.Tdss.565 may spread through spam operation. It is either in the form of email or Internet campaign. Authors of this Trojan also embed the code into downloadable executable files that are mostly hosted on unsecured file-sharing networks. Instant messaging applications and social networking sites also contributed to the propagation of this backdoor Trojan.

How to Remove BackDoor.Tdss.565

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of BackDoor.Tdss.565, open your antivirus application and update the virus definition file.

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.

Scan with Norton Power Eraser:

Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.

5. Go to Norton Power Eraser web page and download the tool.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.

Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.

10. Now click on Fix to start removing the threats including BackDoor.Tdss.565 remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.