W32.Tidserv


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 10 Dec 2008
Damage: Low

Characteristics: The W32.Tidserv application multiplies through removable drives. The systems affected include Windows Vista, Windows XP, Windows Server 2003, Windows NT and Windows 2000.

More details about W32.Tidserv

Once this worm was executed, the worm replicates itself and creates a file containing capabilities of rootkit. This worm may create multiple files and then copies files. It creates an entry from the registry and creates the TDKP event. Also this worm propagates by replicating to all of the removable drives for instance is the USB. It tries to generate infinite loop to avoid the removal of it. In a remote location, W32.tidserv connects with. Also this downloads a file having capabilities of a rootkit then saves it. The capability of rootkit was being used to hide the files and the registry keys having names that start with msqpdx strings. This worm can also create a service by adding some entries to the subkeys of the registry.

The W32.tidserv has the ability to redirect to the Internet access in case the URL that you have requested contains youtube.com, www.ask.com, altavista.com, search.aol.com, alltheweb.com, microsoft.com, tribalfusion.com, trafficmp.com, yimg.com, ask2.pricegrabber.com, .adrevolver.com, google, opselect.com, search.icq.com etc. The worm also changes the server options of DNS to the fixed IPs 85.255.112.154, 85.255.112.87, 85.255.115.156, and 85.255.115.50. The worm may redirect at random to some Internet sites that are displaying advertisements or to locations that may takes information that are confidential. It can also download extra malware on to the computers that are compromised. W32.tidserv may lower the security settings by immobilizing your antispyware software.