Home / malware Worm:W32/TDSS.BU
First posted on 11 April 2009.
Source: SecurityHomeAliases :
Worm:W32/TDSS.BU is also known as Trojan:W32/Alureon.gen!J (Microsoft).
Explanation :
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Additional DetailsThis worm is delivered as a malicious file by the malware Trojan:W32/TDSS.BR. The fake download is itself downloaded from a fake video site.
Installation
Upon execution of the worm's file, it creates a copy of the file "%System%msi.dll" as:
• %Temp% mp[randnumber2].tmp
It then modifies this file with 21 bytes at the entry point, in order to load the file, %Temp% mp[Randomnumber1].tmp.
To complete loading the file, a series of additional changes must performed:
• First, the malware deletes the "knowndllsmsi.dll" section object of the Windows operating system, in order to remove the legitimate msi.dll. • The section object is then recreated and linked to the %Temp% mp[Randomnumber2].tmp file. • It then stops and restarts the "MSISERVER" Windows Service, which subsequently loads the %Temp% mp[Randomnumber2].tmp file.
The cumulative effect of these changes cause the file, Temp% mp[Randomnumber1].tmp to be loaded as a Windows service.
The worm also creates the following files on Removable and Fixed Drives:
• [DriveLetter]:RECYCLERS-%u-%u-%u-%u-%u-%u-%u.com - copy of itself • [DriveLetter]:autorun.inf
Activity
While active, the worm will attempt to connect to a remote site (see above). Once connected, it receives encrypted data from the remote server, which it then decrypts in order to create and load an executable file as:
• %windir%TEMP empo-%u.tmp
Registry
The autorun.inf file created during installation contains the following strings:
• [autorun]
;[random characters]
shellexecute="RECYCLERS-%u-%u-%u-%u-%u-%u-%u.com [DriveLetter]:"
;[random characters]
shellOpencommand="RECYCLERS-%u-%u-%u-%u-%u-%u-%u.com [DriveLetter]:"
;[random characters]
shell=OpenLast update 11 April 2009
