Home / malware Trojan.TDss.ZR
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.TDss.ZR is also known as Packed.Win32.TDSS.Z, Trojan:Win32/Alureon.CT, BackDoor.Tdss.based.3, Backdoor.Tidserv.
Explanation :
This is a complex malware that performs the following actions upon execution:
- creates a copy of itself in “%windir%System32spoolPRTPROCSW32X86” directory under the name “[random-number].tmp” and modifies the headers of the copy by setting the attributes related to a dll;
- creates a driver file in “%windir%Temp" directory under the name “[random-number].tmp”
- creates a copy of itself in “%Temp%” directory under the name “[random-number].tmp”
- Injects code in “spoolsv.exe” process in order to run with higher privileges, code which will load the dropped driver.
- The injected code will also communicate with different servers as: https://h4356***.cn, https://h9237***.cn, https://212.117.174.***, making the computer part of a botnet network and from now on it can download files, execute them and do many other malware related actions.Last update 21 November 2011
