Backdoor.Tidserv first came to light in back in 2008 as a Trojan that uses an advanced rootkit to hide itself. Since then, Symantec has seen many changes to Tidserv and we have documented a number of the changes in our blog postings. Yesterday [Wednesday, August 25, 2010], Symantec came across a new sample of Tidserv that we have broken out detection for as Backdoor.Tidserv.L and Boot.Tidserv.
To get around the restriction of the direct disk access, The dropper uses the \Device\Harddisk*\Dr* device and rewrites the Master Boot Record with the IOCTL_SCSI_PASS_THROUGH_DIRECT DeviceIoControl request, after this it sets the reboot flag at ExitWindowsEx .
Though with the bugs in this, sometimes Windows doesn't want to load or takes a long time and there is a major bug with it if the debugger is turned on.
[main]
version=0.02
aid=[removed by Quads]
sid=0
rnd=[removed by Quads]
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=[removed by Quads]
wsrv=[removed by Quads]
psrv=[removed by Quads]
version=0.11
[Rest removed by Quads]
I can imagine that the bugs will be ironed out by the creators
If you did not have proactive detection in place, you can (currently) manually check to see if the bootkit is installed. As a side effect of the bootkit, the Disk Management pane of the Computer Management console will fail to show the system drive altogether:
It will also fail to show up in the command line using diskpart:
Hello quads - Just trying to gain understanding here, so a few questions please:
I guess the files shown in that location might get there in reality because someone was tricked tricked into downloading the bootkit? But are they only to do with installing the bootkit and wouldn't actually do (or have done) the harm without some more user interaction?
If that is the case, would the detection and blocking occur at the level when it actually tried to install and infect the MBR?
If the bootkit was actually installed, rather than waiting to be installed, wouldn't there be something else in the removal list shown that might refer to the MBR ...unless it wasn't (or couldn't be) detected/removed maybe?
If the situation has got as far as the MBR being infected (perhaps it can't install without the user doing something anyway), say between regular AV system scans, would it be beyond the capabilities of any security program to rectify matters?
Simple to answer all that, the locations is because I created backups of the malicious file including the dropper / installer in another location and dormant, That way I can see if the files are detected by auto-protect or idle time scans.
a lot of the time once the dropper runs and infects the PC it self deletes, so I have backups.
I infected my PC on purpose I infect it with anything from the easy (for me) ones, though to TDL, Virut.CF or Ramnit. it doesn't bother me.
Symantec has already stated the detection name Norton states if it detects the infected MBR. Boot.Tidserv
Hitman Pro 3.5.6 build 112 BETA, Added removal of TDL3 64-bit rootkit,
Restores the MBR with the original apparently.
Unsure yet if that means if the PC in question uses a OEM version of MBR it restores that so it's still the OEM version the PC came with, so that the likes of Dell, HP, Acer...... PC's have Dell PC Restore, HP Restore, etc, will not function properly without their specific entries in the MBR Code
Also Latest TDSSKiller v2.4.1.3:
\HardDisk0\MBR - will be cured after reboot
Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
Quads is busy in the middle of an Earthquake zone with over 140 after shocks over 4 days,
Being a Southern Californian I have been through a few of these as well (the 7.3 Landers quake was the scariest). It's amazing that now, within a minute or two of any quake, you can go online and see the epicenter and the magnitude. What used to take hours to collate is now available to the public in real time, thanks to major instrumentation in seismic areas and the internet.
version 0.01, without x64 code (one dropper it seems), version 0.02 fully workable, (just few droppers) buggy, can cause non booting XP version 0.03 with changed infector (driver too), also few samples, buggy, can cause non booting XP