Threat Descriptions

Worm:W32/TDSS.BU

Classification

Category :

Malware

Type :

Worm

Platform :

W32

Aliases :

Worm:W32/TDSS.BU

Summary

This worm is delivered as a malicious file by the malware Trojan:W32/TDSS.BR. The fake download is itself downloaded from a fake video site.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Installation

Upon execution of the worm's file, it creates a copy of the file "%System%\msi.dll" as:

  • %Temp%\tmp[randnumber2].tmp

It then modifies this file with 21 bytes at the entry point, in order to load the file, %Temp%\tmp[Randomnumber1].tmp.

To complete loading the file, a series of additional changes must performed:

  • First, the malware deletes the "\knowndlls\msi.dll" section object of the Windows operating system, in order to remove the legitimate msi.dll.
  • The section object is then recreated and linked to the %Temp%\tmp[Randomnumber2].tmp file.
  • It then stops and restarts the "MSISERVER" Windows Service, which subsequently loads the %Temp%\tmp[Randomnumber2].tmp file.

The cumulative effect of these changes cause the file, Temp%\tmp[Randomnumber1].tmp to be loaded as a Windows service.

The worm also creates the following files on Removable and Fixed Drives:

  • [DriveLetter]:\RECYCLER\S-%u-%u-%u-%u-%u-%u-%u.com - copy of itself
  • [DriveLetter]:\autorun.inf

Activity

While active, the worm will attempt to connect to a remote site (see above). Once connected, it receives encrypted data from the remote server, which it then decrypts in order to create and load an executable file as:

  • %windir%\TEMP\tempo-%u.tmp

Registry

The autorun.inf file created during installation contains the following strings:

  • [autorun] ;[random characters] shellexecute="RECYCLER\S-%u-%u-%u-%u-%u-%u-%u.com [DriveLetter]:\" ;[random characters] shell\Open\command="RECYCLER\S-%u-%u-%u-%u-%u-%u-%u.com [DriveLetter]:\" ;[random characters] shell=Open

Network Connections

Attempts to connect with HTTP to:

  • https://94.247.2.107/cgi-bin/generator

Registry Modifications

Creates these keys:

  • HKEY_CLASSES_ROOT\videoshow\CLSID (Default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"