Removal of Worm.TDSS.TX

The Trojan has Drops files, Lowers Internet Explorer(IE) security settings, Modifies the Internet Explorer Zone Settings as the payload. It might have occurred by user visiting a malicious website.  The removal of it will have the following steps :

1. Disable System Restore
2. Deletes the files dropped by the worm that is EXPL_CPLNK.SMA.
3. Restart the computer in Safe mode
4. Check mark Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files in the search result\
5. Delete the registry values

• In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international
  • acceptlanguage=en-us
• In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
  • svchost.exe=8888
• In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • maxhttpredirects=8888
• In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • enablehttp1_1=1
   

 Restore the modified values to their default values :

• In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • From: CurrentLevel=0To: CurrentLevel=69632
• In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • From: 1601=0To: 1601=1
   

 Scan your computer with a good anti-virus program which will remove the worm completely.

Read More

WORM_TDSS.TX

This is a very dangerous threat. It attacks the known vulnerability to drop the EXPL_CPLNK.SMA which drops the routines in to the affected system. It lowers the system security and allows access to malicious sites automatically.

Effects:

• It basically exploits the Zeroday exploit 
• It also lowers Internet Explorer(IE) security settings, allowing auto access to sites with malicious code to run.
• To propagate, it drops copies of itself into network shares, thus, making itself available to other users
• This worm may be unknowingly downloaded by a user while visiting malicious websites
• It executes then deletes itself afterward
• It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
• It modifies the Internet Explorer Zone Settings.

It modifies the following registry entries:

• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  CurrentLevel = 0 where default value is 69632. 
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1601 = 0 where default value being 1. 

It adds the following registry entries:

• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international; acceptlanguage = "en-us"
• HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
  svchost.exe = 8888
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings maxhttpredirects = 8888
•  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings enablehttp1_1 = 1

Mode of Attack:
This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system
It drops itself on network drives with the names 

• setup{random number}.dll
• setup{random number}.dat 
•   setup{random number}.lnk –  EXPL_CPLNK.SMA

This worm does the following:

• Creates a copy of itself named C:\Documents and Settings\{user name}\Local Settings\Temp\{random file name}.TMP
• Changes its file characteristics to .DLL

Read More