My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.TDss.AT

MEDIUM
MEDIUM
~31bytes
(DNSChanger.f.gen.a)

Symptoms

- the presence of the following file c:\resycled\boot.com and an autorun.inf pointing to boot.com.
- system running slowly

Removal instructions:

Please let BitDefender delete the infected files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

    When run, this malware will first drop the following files in %TEMP% folder: tmp1.tmp and tmp2.tmp.
    The first file will be injected in spoolsv.exe under the name dll.dll and this is the main component of the malware. It communicates with the following site via http: http://94.247.2.104. It is also able to change the DNS settings of the computer in order to steal user's sensitive information. The changed DNS addresses will be: 85.255.115.237 and 85.255.112.201. It will also create the following registry keys:
    HKCR\msqpdxvx\
    msqpdxaff @= 0xBFF
    msqpdxid @= rfy... (the first DNS address crypted)
    msqpdxinfo @= 3qxvy ... (the second DNS address crypted)
    msqpdxpff @= 0x1F03
    msqpdxrun @= 0x47 (the key used to decrypt the DNS addresses)
    msqpdxsw @= 0x6802f719
    
    The second file is a modified version of advapi32.dll which will be copied over the original version. It will be used to load the dll.dll file at every system startup (it is detected as Trojan.Patched.CK).
        
    In order to spread itself on every removable drive, it makes a copy of itself in c:\resycled\boot.com and creates an autorun.inf file pointing to this copy of the worm.