Threat Descriptions

Trojan:W32/TDSS.BR

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan:W32/TDSS.BR, Trojan.Win32.TDSS.tqf, Trojan:W32/Alureon.gen!J (Microsoft)

Summary

Trojan:W32/TDSS.BR drops and executes a malicious file on the affected system.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This trojan arrives as an installer file downloaded from a fake video posted on a video site.

Installation

Upon execution of the installer, the trojan drops and executes a malicious file hidden in the archive installer. The malicious file is detected as Worm:W32/TDSS.BU.

The trojan also creates the following files:

  • %ProgramFiles%\PlayMe\Uninstall.exe - normal uninstaller file
  • %UserProfile%\Start Menu\Programs\PlayMe\Uninstall.lnk - link to uninstaller

Registry Modifications

Creates these keys:

  • HKEY_CURRENT_USER\Software\PlayMe (Default) = "%ProgramFiles%\PlayMe"
  • HKEY_CURRENT_USER\Software\PlayMeSoft Start Menu Folder = "PlayMe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PlayMe UninstallString = "%ProgramFiles%\PlayMe\Uninstall.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PlayMe DisplayName = "PlayMe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PlayMe DisplayIcon = "%ProgramFiles%\PlayMe\Uninstall.exe,0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PlayMe InstallLocation = "%ProgramFiles%\PlayMe"