WORM_TDSS.TX

tag:Worm

0 0

This worm may arrive via drive-by downloads.

When executed, it takes advantage of the following vulnerability as a zero-day exploit:

(MS10-092) Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420)

It also lowers Internet Explorer(IE) security settings, allowing access to sites with malicious code and causing more harm to the system.

To propagate, it drops copies of itself into network shares, thus, making itself available to other users.

This worm may be unknowingly downloaded by a user while visiting malicious websites.

It executes then deletes itself afterward.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It modifies the Internet Explorer Zone Settings.

This worm may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm executes then deletes itself afterward.

Other System Modifications

This worm modifies the following registry entries:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
CurrentLevel = 0

(Note: The default value data of the said registry entry is 69632.)

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
1601 = 0

(Note: The default value data of the said registry entry is 1.)

It adds the following registry entries:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\international
acceptlanguage = "en-us"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
featurecontrol\FEATURE_BROWSER_EMULATION
svchost.exe = 8888

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
maxhttpredirects = 8888

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
enablehttp1_1 = 1

Propagation

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It uses the following file names for the copies it drops into shared networks:

setup{random number}.dll
setup{random number}.dat
The malware drops the following component in shared networks:
- setup{random number}.lnk – detected as EXPL_CPLNK.SMA

Web Browser Home Page and Search Page Modification

This worm modifies the Internet Explorer Zone Settings.

Other Details

This worm does the following:

Creates a copy of itself named %User Temp%\{random file name}.TMP
Changes its file characteristics to .DLL

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It is a zero-day exploit for the following vulnerability:

Windows Task Scheduler Privilege Escalation

Solution

Step 1

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by WORM_TDSS.TX

EXPL_CPLNK.SMA

Step 3

Scan your computer with your Trend Micro product and note files detected as WORM_TDSS.TX

Step 4

Restart in Safe Mode

previous12 3 Next

previous:Clippo.A
Next:none

Virus Source from:http://www.trendmicro.com/

New articles

WORM_TDSS.TXThis worm may arrive via drive-by downloads. When executed, it takes advantage of the following vulnerability as a zero-day exploit: (MS10-092) Vulnera...Clippo.AClippo.A puts a password to all the Office documents it finds in the computer and even in the removable drives, so that users cannot open them. Thi...Visal.AVisal.A carries out the following actions: It reduces the protection level of the affected computer, as it prevents many programs related to computer s...MoonLight.VMoonLight.V is a worm whose main objective is to spread and affect as many computers as possible. The means it uses to spread are the peer-to-peer (P2P) file sh...P2P-Worm.Win32.Harex.b Harex.b (aka Genky) is about 4KB when compressed by FSG. The virus file is 33KB when uncompressed. InstallingWhen installing, the worm creates a sub directory ...

Hot Articles

WORM_TDSS.TX

Computer Virus Clounds