BKDR_TDSS.SMEO

 Analysis by: Christopher Daniel So

 ALIASES:

Trojan:Win32/Alureon.CT (Microsoft); Backdoor.Tidserv!gen5 (Symantec); Packed.Win32.TDSS.z (Kaspersky)

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW


This backdoor executes then deletes itself afterward.

It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

26 Nov 2010

Installation

This backdoor executes then deletes itself afterward.

Other System Modifications

This backdoor adds the following registry entries:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\international
acceptlanguage = "en-us"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
featurecontrol\FEATURE_BROWSER_EMULATION
svchost.exe = 8888

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
maxhttpredirects = 8888

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
enablehttp1_1 = 1

It modifies the following registry entries:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
CurrentLevel = 0

(Note: The default value data of the said registry entry is 69632.)

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
1601 = 0

(Note: The default value data of the said registry entry is 1.)

Web Browser Home Page and Search Page Modification

This backdoor modifies the Internet Explorer Zone Settings.

Related URLs