W32.Tdiserv.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 22 Jun 2005
Damage: Medium

Characteristics: The W32.Tdiserv.A application permits unauthorized distant access to the compromised computer. This worm has functionality of rootkit, which permits it to prevent detection concealing its processes and files.

More details about W32.Tdiserv.A

When the W32.Tdiserv.A was executed, it creates and also executes specific files. Then this worm drops some files. The worm generates a service that has a display name of TdiHook Update Driver, with an Image Path of %System%\_tdiserv_TdiUpdate.sys and has a description of ‘Executes every time Windows starts’. Also the worm adds values to the subkey of the registry so that it can create the service (TdiHook Update Driver). The files created and the entries of the registry are hidden and invisible by the rootkit when the computer that was compromised is running using the Safe mode. The worm also adds a value to the subkey of the registry so that this rootkit can also run each time the windows will start. The worm doesn’t replicate itself to the Drive C.

When the W32.Tdiserv.A was executed, it creates and also executes specific files. Then this worm drops some files. The worm generates a service that has a display name of TdiHook Update Driver, with an Image Path of %System%\_tdiserv_TdiUpdate.sys and has a description of ‘Executes every time Windows starts’. Also the worm adds values to the subkey of the registry so that it can create the service (TdiHook Update Driver). The files created and the entries of the registry are hidden and invisible by the rootkit when the computer that was compromised is running using the Safe mode. The worm also adds a value to the subkey of the registry so that this rootkit can also run each time the windows will start.