Jump to content

  • 0
Prajwal Desai

TDSS Loader - Removal


TDSS is a very complicated piece of malware and the cybercriminals have created an ingenious propagation tool for its loader.



Hi All,


I am sharing some info on TDSS worm and its removal. I have faced with this issue recently and will be sharing info on removal of it.




The TDSS loader was named Net-Worm.Win32.Rorpian and has two methods of propagation:

  1. Via removable media
  2. Via a LAN

When propagating via removable media, the worm creates the files setup.lnk, myporno.avi.lnk, pornmovs.lnk and autorun.inf. These files contain a link to the file rundll32.exe whose parameters reference the worm’s DLL. This is a standard technique used in many malicious programs. The worm uses the following methodology when working with a LAN. To infect a computer, the worm checks if a DHSP server is used in the network. If the victim computer is located on a network using the DHCP protocol, the worm starts scanning the network to see if there are any available IP addresses. After that, the worm launches its own DHCP server and starts listening to the network. When a DHCP request from a computer in the local network arrives, the worm attempts to respond to it before the “official” DHCP server does, and species the following:

  1. An IP address from the pool of available IP addresses
  2. The main gateway specified on the infected computer
  3. The address of the malicious DNS server belonging to the cybercriminals After these manipulations, whenever the user tries to visit any web page, they will be redirected to the malicious server and prompted to update their web browser.



The user gets notification for an update and when updated the user downloads Net-Worm.Win32.Rorpian. After infecting the user’s computer, it changes the DNS settings into a Google server address and lets the user browse.

The IP address is usually of 188.xx.xx.xx range and the DNS server IP is




Coming to the cleaning part of this worm, I feel this is the most painfull job. The affected devices must be first disconnected from the network. The devices would work fine if given a static IP, but the worm is more active when there is a DHCP server. Kaspersky provides a tool to identify and kill the TDSS worm. The tool can be found at the link : http://support.kaspersky.com/viruses/avptool2010?level=2. With this tool we need to scan all the systems and clean up the malware.

Share this post

Link to post
Share on other sites

0 answers to this question

Recommended Posts

There have been no answers to this question yet

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.