TROJ_TDSS.SMEE

This Trojan may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It also has rootkit capabilities, which enables it to hide its processes and files from the user.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

• %System%\drivers\TDSSserv.sys
• %System%\TDSS{random}.sys
• %User Temp%\TDSS{random}.tmp

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TDSSserv.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\tdssdata

Rootkit Capabilities

This Trojan also has rootkit capabilities, which enables it to hide its processes and files from the user.

Other Details

This Trojan connects to the following possibly malicious URL:

• http://{BLOCKED}wsblog.net/tdss/crcmds/main
• http://{BLOCKED}9.com/cgi-bin/wtsin.cgi?s=z/tdss/crcmds/main
• http://{BLOCKED}m.ru/?ref=atom999

However, as of this writing, the said sites are inaccessible.