F-Secure
Tools
Worm:W32/TDSS.BU
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Details
Network Connections
Attempts to connect with HTTP to:
- http://94.247.2.107/cgi-bin/generator
Registry Modifications
Creates these keys:
- HKEY_CLASSES_ROOT\videoshow\CLSID
(Default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"
Additional Details
This worm is delivered as a malicious file by the malware Trojan:W32/TDSS.BR. The fake download is itself downloaded from a fake video site.
Installation
Upon execution of the worm's file, it creates a copy of the file "%System%\msi.dll" as:
It then modifies this file with 21 bytes at the entry point, in order to load the file, %Temp%\tmp[Randomnumber1].tmp.
To complete loading the file, a series of additional changes must performed:
The cumulative effect of these changes cause the file, Temp%\tmp[Randomnumber1].tmp to be loaded as a Windows service.
The worm also creates the following files on Removable and Fixed Drives:
Activity
While active, the worm will attempt to connect to a remote site (see above). Once connected, it receives encrypted data from the remote server, which it then decrypts in order to create and load an executable file as:
Registry
The autorun.inf file created during installation contains the following strings:
Installation
Upon execution of the worm's file, it creates a copy of the file "%System%\msi.dll" as:
- %Temp%\tmp[randnumber2].tmp
It then modifies this file with 21 bytes at the entry point, in order to load the file, %Temp%\tmp[Randomnumber1].tmp.
To complete loading the file, a series of additional changes must performed:
- First, the malware deletes the "\knowndlls\msi.dll" section object of the Windows operating system, in order to remove the legitimate msi.dll.
- The section object is then recreated and linked to the %Temp%\tmp[Randomnumber2].tmp file.
- It then stops and restarts the "MSISERVER" Windows Service, which subsequently loads the %Temp%\tmp[Randomnumber2].tmp file.
The cumulative effect of these changes cause the file, Temp%\tmp[Randomnumber1].tmp to be loaded as a Windows service.
The worm also creates the following files on Removable and Fixed Drives:
- [DriveLetter]:\RECYCLER\S-%u-%u-%u-%u-%u-%u-%u.com - copy of itself
- [DriveLetter]:\autorun.inf
Activity
While active, the worm will attempt to connect to a remote site (see above). Once connected, it receives encrypted data from the remote server, which it then decrypts in order to create and load an executable file as:
- %windir%\TEMP\tempo-%u.tmp
Registry
The autorun.inf file created during installation contains the following strings:
- [autorun]
;[random characters]
shellexecute="RECYCLER\S-%u-%u-%u-%u-%u-%u-%u.com [DriveLetter]:\"
;[random characters]
shell\Open\command="RECYCLER\S-%u-%u-%u-%u-%u-%u-%u.com [DriveLetter]:\"
;[random characters]
shell=Open