(Packed.Win32.TDSS.Z, Trojan:Win32/Alureon.CT BackDoor.Tdss.based.3, Backdoor.Tidserv)
Browser redirection and increased network activity.
Please let BitDefender disinfect your files.
George Cabau, virus researcher
This is a complex malware that performs the following actions upon execution:
- creates a copy of itself in “%windir%\System32\spool\PRTPROCS\W32X86\” directory under the name “[random-number].tmp” and modifies the headers of the copy by setting the attributes related to a dll;
- creates a driver file in “%windir%\Temp\" directory under the name “[random-number].tmp”
- creates a copy of itself in “%Temp%” directory under the name “[random-number].tmp”
- Injects code in “spoolsv.exe” process in order to run with higher privileges, code which will load the dropped driver.
- The injected code will also communicate with different servers as: https://h4356***.cn, https://h9237***.cn, https://212.117.174.***, making the computer part of a botnet network and from now on it can download files, execute them and do many other malware related actions.