Trojan.TDss.ZR

( Packed.Win32.TDSS.Z, Trojan:Win32/Alureon.CT BackDoor.Tdss.based.3, Backdoor.Tidserv )

SYMPTOMS:

Browser redirection and increased network activity.

TECHNICAL DESCRIPTION:

This is a complex malware that performs the following actions upon execution:

-    creates a copy of itself in “%windir%\System32\spool\PRTPROCS\W32X86\” directory under the name “[random-number].tmp” and modifies the headers of the copy by setting the attributes related to a dll;
-    creates a driver file in “%windir%\Temp\" directory under the name “[random-number].tmp”
-     creates a copy of itself in “%Temp%” directory under the name “[random-number].tmp”
-    Injects code in “spoolsv.exe” process in order to run with higher privileges, code which will load the dropped driver.
-    The injected code will also communicate with different servers as: https://h4356***.cn, https://h9237***.cn, https://212.117.174.***, making the computer part of a  botnet network and from now on it can download files, execute them and do many other malware related actions.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

George Cabau, virus researcher