Home / malware Trojan.TDss.AT
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.TDss.AT is also known as DNSChanger.f.gen.a.
Explanation :
When run, this malware will first drop the following files in %TEMP% folder: tmp1.tmp and tmp2.tmp.
The first file will be injected in spoolsv.exe under the name dll.dll and this is the main component of the malware. It communicates with the following site via http: http://94.247.2.104. It is also able to change the DNS settings of the computer in order to steal user's sensitive information. The changed DNS addresses will be: 85.255.115.237 and 85.255.112.201. It will also create the following registry keys:
HKCRmsqpdxvx
msqpdxaff @= 0xBFF
msqpdxid @= rfy... (the first DNS address crypted)
msqpdxinfo @= 3qxvy ... (the second DNS address crypted)
msqpdxpff @= 0x1F03
msqpdxrun @= 0x47 (the key used to decrypt the DNS addresses)
msqpdxsw @= 0x6802f719
The second file is a modified version of advapi32.dll which will be copied over the original version. It will be used to load the dll.dll file at every system startup (it is detected as Trojan.Patched.CK).
In order to spread itself on every removable drive, it makes a copy of itself in c:
esycledoot.com and creates an autorun.inf file pointing to this copy of the worm.Last update 21 November 2011