Analysis by: Anthony Joe Melgarejo

ALIASES:

Trojan-Dropper.Win32.TDSS.azpl (Kaspersky), W32/TDSS.AZPL!tr (Fortinet)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This backdoor adds mutexes to ensure that only one of its copies runs at any one time.

It monitors the browsing habits of the user and send the information to specific URLs when certain strings are found in the Web address.

It also modify the search results returned by search engine to trick users into clicking malicious links, and/or displaying advertisements.

It modifies the Master Boot Record (MBR) of the affected system to enable itself to load before the Operating System boots up.

It also connects to certain URLs to download other malicious files, and display advertisement.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies Internet Explorer security settings. This puts the affected computer at greater risk, as it allows malicious URLs to be accessed by the computer.

  TECHNICAL DETAILS

File Size: 179,712 bytes
File Type: DLL
Memory Resident: Yes
Initial Samples Received Date: 09 Jan 2011
Payload: Downloads files, Drops files, Creates mutexes, Modifies Master Boot Record (MBR)

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor injects threads into the following normal process(es):

  • svchost.exe -k netsvcs

It injects codes into the following process(es):

  • explorer.exe
  • iexplore.exe

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random hex value}\
0000
Legacy = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random hex value}\
0000
ConfigFlags = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random hex value}\
0000
Class = "LegacyDriver"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random hex value}\
0000
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random hex value}\
0000
DeviceDesc = "{random hex value}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random hex value}\
0000
Service = "{random hex value}"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random hex value}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{random hex value}\
0000

Other System Modifications

This backdoor adds the following registry entries:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Extensions\
CmdMapping
{CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} = "2002"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Extensions\
CmdMapping
{e2e2dd38-d088-4134-82b7-f2ba38496583} = "2003"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Extensions\
CmdMapping
{FB5F1910-F110-11d2-BB9E-00C04F795683} = "2004"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Extensions\
CmdMapping
NextId = "2005"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\International
AcceptLanguage = "en-US"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Security\
P3Global
Enabled = "1"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
Display Inline Images = "yes"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
Enable Browser Extensions = "no"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
Play_Background_Sounds = "no"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
Play_Animations = "no"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
Enable AutoImageResize = "no"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
EnableAlternativeCodec = "no"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
UseSWRender = "1"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
PlaySounds = "0"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
Error Dlg Displayed On Every Error = "no"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
DisableScriptDebuggerIE = "no"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
Friendly http errors = "no"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
FeatureControl\FEATURE_BLOCK_INPUT_PROMPTS
iexplore.exe = "1"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
FeatureControl\FEATURE_BROWSER_EMULATION
iexplore.exe = "1770"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
FeatureControl\FEATURE_GPU_RENDERING
iexplore.exe = "1"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
iexplore.exe = "10"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
iexplore.exe = "10"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED
iexplore.exe = "0"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
GlobalUserOffline = "0"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
CertificateRevocation = "0"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
WarnOnBadCertRecving = "0"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
WarnOnPost = "0"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
WarnOnPostRedirect = "0"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
WarnOnZoneCrossing = "0"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
ServerInfoTimeout = "927c0"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
KeepAliveTimeout = "124f80"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
ReceiveTimeout = "124f80"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
EnableHttp1_1 = "1"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
MaxHttpRedirects = "32"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
ConnectRetries = "14"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
MaxConnectionsPerServer = "10"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
MaxConnectionsPer1_0Server = "10"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Extensions\
CmdMapping
{898EA8C8-E7FF-479B-8935-AEC46303B9E5} = "2000"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Extensions\
CmdMapping
{92780B25-18CC-41C8-B9BE-3C9C571A8263} = "2001"

It modifies the following registry entries:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
Disable Script Debugger = "no"

(Note: The default value data of the said registry entry is yes.)

Backdoor Routine

This backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

  • http://{BLOCKED}sty.com/aa
  • http://{BLOCKED}sty.com/aa/nn
  • http://{BLOCKED}est.com/aa
  • http://{BLOCKED}est.com/aa/nn
  • http://{BLOCKED}.{BLOCKED}.44.9/aa/ns
  • http://{BLOCKED}.{BLOCKED}.44.9/aa/nn

Web Browser Home Page and Search Page Modification

This backdoor modifies Internet Explorer zone settings.

Download Routine

This backdoor accesses the following websites to download files:

  • http://{BLOCKED}nload.{BLOCKED}e.com/bin/install_flashplayer11x32_chrd_aih.exe - legitimate file (Adobe Flash Player installer)

It saves the files it downloads using the following names:

  • %AppDataLocal%\install_flashplayer.exe - legitimate file (Adobe Flash Player installer)

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)

Information Theft

This backdoor gathers the following data:

  • OS version
  • Build
  • Service Pack version
  • Processor Architecture

Stolen Information

This backdoor sends the gathered information via HTTP POST to the following URL:

  • {BLOCKED}.{BLOCKED}.57.42:555/{random values}/start/{OS Version}_{Build}_{Service Pack Version}_{Processor Architecture}/9099
  • {BLOCKED}.{BLOCKED}.57.42:555/{random values}/install/{OS Version}_{Build}_{Service Pack Version}_{Processor Architecture}/9099

NOTES:

This malware modifies the Master Boot Record (MBR) of the affected system to enable itself to load before the operating system boots up.

To hide its component files, it writes the following files at the end of the hard disk:

  • \\?\globalroot\{random}\config.ini - contains the configuration for the bot functionality of the malware.
  • \\?\globalroot\{random}\ldr16 - component loaded by the malware during OS boot-up. This is responsible for executing ldr32 or ldr64, depending on the operating system (OS).
  • \\?\globalroot\{random}\ldr32 - detected as TROJ_TDSS.BSS. This is used to let the OS continue to boot without crashing by replicating the system library kdcom.dll.
  • \\?\globalroot\{random}\ldr64 - detected as TROJ64_TDSS.BSS. This is used by the malware to let the OS continue booting without crashing by replicating the system library kdcom.dll.
  • \\?\globalroot\{random}\drv32 - detected as RTKT_TDSS.BTE. This is a component used by the malware to hide itself and ensure the master boot record or MBR is infected.
  • \\?\globalroot\{random}\drv64 - detected as RTKT64_TDSS.BTE. This is a component used by the malware to hide itself and ensure the MBR is infected.
  • \\?\globalroot\{random}\cmd.dll - detected as BKDR_TDSS.JES
  • \\?\globalroot\{random}\cmd64.dll - detected as BKDR64_TDSS.JES
  • \\?\globalroot\{random}\uacdll - detected as TROJ64_TDSS.JES. This is used to bypass the user account control (UAC)

It monitors the browsing habits of the user and send the information to the mentioned URLs when the following strings are found in the browser.

It can also modify the search results returned by search engine to trick users into clicking malicious links, and/or displaying advertisements:

  • share
  • tweet
  • download
  • checkout
  • feedback
  • contact
  • terms
  • copyright
  • policy
  • privacy
  • registr
  • register
  • signup
  • signin
  • login
  • linkedin
  • flickr
  • google
  • twitter
  • facebook
  • torrent
  • voxmov

It connects to the abovementioned URLs to send and receive information from a remote user, download other malicious files, and display advertisements.

  SOLUTION

Minimum Scan Engine: 9.700

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by BKDR_TDSS.JES

    • TROJ_TDSS.BSS
    • TROJ64_TDSS.BSS
    • RTKT_TDSS.BTE
    • RTKT64_TDSS.BTE
    • BKDR64_TDSS.JES
    • TROJ64_TDSS.JES

Step 3

Restore your system's Master Boot Record (MBR)

To restore your system's Master Boot Record (MBR):

• On Windows 2000, XP, and Server 2003:

  1. Insert your Windows Installation CD into your CD drive then restart your computer.
  2. When prompted, press any key to boot from the CD.
  3. On the Main Menu, type r to enter the Recovery Console.
    (Note for Windows 2000: After pressing r, type c to choose the Recovery Console on the repair options screen.)
  4. Type the number that corresponds to the drive and folder that contains Windows (usually C:\WINDOWS) and press Enter.
  5. Type your Administrator password and press Enter.
  6. In the input box, type the following then press Enter:
    fixmbr {affected drive}
  7. Type exit and press Enter to restart the system normally.

• On Windows Vista and 7:

  1. Insert your Windows Installation DVD into the DVD drive, then press the restart button on your computer.
  2. When prompted, press any key to boot from the DVD.
  3. Depending on your Windows Installation DVD, you might be required to choose the installation language. On the Install Windows window, choose your language, locale, and keyboard layout or input method. Click Repair your computer.
  4. Select Use recovery tools that can help fix problems starting Windows. Select your installation of Windows. Click Next.
  5. If the Startup Repair window appears, click Cancel, Yes, then Finish.
  6. In the System Recovery Options menu, click Command Prompt.
  7. In the Command Prompt window, type the following then press Enter:
    BootRec.exe /fixmbr
  8. Type exit and press Enter to close the Command Prompt window.
  9. Click Restart to restart your computer normally.

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    • LEGACY_{random hex value}

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    • {898EA8C8-E7FF-479B-8935-AEC46303B9E5} = "2000"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    • {92780B25-18CC-41C8-B9BE-3C9C571A8263} = "2001"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    • {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} = "2002"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    • {e2e2dd38-d088-4134-82b7-f2ba38496583} = "2003"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    • {FB5F1910-F110-11d2-BB9E-00C04F795683} = "2004"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    • NextId = "2005"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International
    • AcceptLanguage = "en-US"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Security\P3Global
    • Enabled = "1"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • Display Inline Images = "yes"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • Enable Browser Extensions = "no"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • Play_Background_Sounds = "no"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • Play_Animations = "no"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • Enable AutoImageResize = "no"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • EnableAlternativeCodec = "no"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • UseSWRender = "1"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • PlaySounds = "0"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • Error Dlg Displayed On Every Error = "no"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • DisableScriptDebuggerIE = "no"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • Friendly http errors = "no"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_INPUT_PROMPTS
    • iexplore.exe = "1"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
    • iexplore.exe = "1770"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
    • iexplore.exe = "1"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
    • iexplore.exe = "10"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
    • iexplore.exe = "10"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED
    • iexplore.exe = "0"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • GlobalUserOffline = "0"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • CertificateRevocation = "0"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • WarnOnBadCertRecving = "0"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • WarnOnPost = "0"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • WarnOnPostRedirect = "0"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • WarnOnZoneCrossing = "0"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • ServerInfoTimeout = "927c0"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • KeepAliveTimeout = "124f80"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • ReceiveTimeout = "124f80"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • EnableHttp1_1 = "1"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • MaxHttpRedirects = "32"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • ConnectRetries = "14"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • MaxConnectionsPerServer = "10"
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • MaxConnectionsPer1_0Server = "10"

Step 6

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    • From: Disable Script Debugger = "no"
      To: Disable Script Debugger = yes

Step 7

Reset Internet security settings

[ Learn More ]

Step 8

Scan your computer with your Trend Micro product to delete files detected as BKDR_TDSS.JES. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.