Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to news

Neutralization of TDL3 and other virus events of November

December 2, 2009

Successful neutralization of a new modification of the rootkit BackDoor.Tdss, that used different hiding techniques to remain undetected and provided an intruder with the full control over a compromised system, became the main event of the past month. Besides, virus makers tended to disguise malware as software that supposedly allowed users to track owners of cell phones, Trojans mainly spread over social networking web-sites while the number of e-mails with viruses has declined.

BackDoor.Tdss.565 and its modifications

On November 12 2009 Doctor Web offered to its customers a new version of the scanner that became the first anti-virus that could be launched in an infected system and neutralize BackDoor.Tdss.565 (also known as TDL3).

Rootkits of this type incorporate latest evasion technologies that allow them to bypass virtually all existing anti-viruses, inject malicious code into system processes and yet remain undetected.

One of such innovates of BackDoor.Tdss.565 is its new installation method that allows the malware to avoid detection by virtually all known behaviour analyzers thus showing that virus makers not only try to make new pieces of malicious code hard to detect for signature-based scanners and heuristic analyzers but also make attempts to evade (and sometimes they succeed) behaviour analyzers.

A hidden virtual drive created by the rootkit on a hard disk in the compromised system became another novelty introduced by virus makers. The hidden virtual disk stores files required for operation of the Trojan. A special mounting algorithm allows hiding this additional device in the system.

The rootkit also infects one of the drivers responsible for operation of hard drives. The malware detects which hard drive interface is used in the system and injects its code into a corresponding driver.

BackDoor.Tdss.565 also takes advantage of other non-standard techniques that make its detection and neutralization quite a challenge for anti-virus vendors. Dr.Web developers were the first ones who solved the problem and results of their work have been implemented in the latest version of the Dr.Web scanner included in all Doctor Web’s solutions for Windows.

Fake location finders

In its monthly renews and numerous news reports Doctor Web warned users against downloading fake anti-virus software which can still be found in large numbers on the Internet.

However, software for mobile devices also becomes a popular disguise for malware. It is hardly surprising since mobile phones have become an indispensable part of our lives. In recent months cyber criminals that exploited the wide interest of users to such software haven't used malware in their fraud schemes. But in November Russian users were "offered” password stealers as software tracking mobile phone users.

It may rain in the Dance City

It is well known that many users spend significant amounts of money to access exclusive content or special features in online games thus bringing income to their authors and publishers. Surely cyber criminals want to have their share too and exploit users’ interest in gaming to distribute malware.

This review describes several fraud schemes targeting Russian users of the MORPG Parapa: the Dance City. Popularity of this game in Russia is growing and players adopt various techniques (sometimes unfair) to gain a certain advantage in the game or receive a special bonus. A user can progress through the game by gaining points but this way is long and tiresome. Another way to reach a higher level is to place a certain amount of money on a virtual account in the game.

Cyber-criminals offered users software that would supposedly be adding a certain amount on their virtual game accounts on a daily basis, give users administrative privileges or help acquire other qualities that could give one an advantage in the virtual dance city.

As a matter of fact users falling for such schemes not only risk to spend their money in vain. It is not uncommon when an intruder acquires the user account information along with the gcharacter that has been in the game for several months. Such a character often goes on sale. To receive money from a victim criminals often resort to such services as,,

Apart from extracting money from victims malefactors could also provide users with free software for “cracking’ the game. As a rule, such cracks disguise malicious programs such as BackDoor.Dax.47.

Viruses via e-mail

New modifications of password stealers Trojan.PWS.Panda and new variations of Trojan.Proxy that were spread via e-mail in previous months were also found in messages in November. But since anti-virus vendors inform users about such mailings on a regular basis, virus makers had to find new ways to lure users into downloading and launching malicious executable files.

In previous months such messages were mainly disguised as notifications from the administration of Facebook. In November users of MySpace were added to the target group. Users of MySpace received notifications similar to those sent to members of Facebook. They were also informed that their password was changed for better security and that they could the new password in the attached file. Some messages also offered victims to download a utility that would make all changes automatically for the user to be able to access his account after the site’s security system had been changed. The download link directed the victim to a bogus web-site created by cyber-criminals.

In order to spread malware over e-mail virus makers often fake messages from well-known respected companies. In November they chose to disguise as NACHA. An e-mail informed a user that his electronic transaction had been cancelled and offered to go to the company's web-site for details. From a bogus web-site the unsuspecting victim downloaded another modification of Trojan.PWS.Panda.

The overall amount of spam related to malware in first two weeks of November remained on the level of the past month. Different mailings with various malicious programs in attachments or with links to bogus web-sites were registered by virus analysts. However, starting from the middle of the past month the number of such mailings decreased by 50 per cent compared with the figures at the beginning of November. However, this downturn is most probably temporary.


The last part of this review is devoted to phishing.

In the second two weeks of November cyber criminals sent users a message supposedly from Google. Composed of few lines of textit offered a user to follow a provided link to learn about a new way to earn money.

In some cases the link could direct a user to the web-page with a Twitter post containing another link. In other cases it directed a user to a web-page hosted using Google services.

In both cases the ultimate goal of criminals was to get a user to the bogus web-site to retrieve his personal information. To make sure the victim wouldn't have enough time to get suspicious, they introduced the countdown timer on the web-site. However, nothing happened after the victim had provided his personal information.

Viruses detected in e-mail traffic in November

 01.11.2009 00:00 - 01.12.2009 00:00 
1Trojan.DownLoad.3723610313930 (13.36%)
2Trojan.DownLoad.472569528637 (12.34%)
3Trojan.Fakealert.51156663095 (8.63%)
4Trojan.MulDrop.408966638234 (8.60%)
5Trojan.Packed.6835457677 (7.07%)
6Trojan.Fakealert.52384991544 (6.47%)
7Trojan.DownLoad.502463843797 (4.98%)
8Trojan.Fakealert.58253266072 (4.23%)
9Trojan.Fakealert.54372387930 (3.09%)
10Win32.HLLM.Netsky.353282332183 (3.02%)
11Trojan.Fakealert.53562164543 (2.80%)
12Trojan.Fakealert.57841871829 (2.43%)
13Trojan.PWS.Panda.1221756350 (2.28%)
14Trojan.Fakealert.52291740878 (2.26%)
15Trojan.Packed.29151618177 (2.10%)
16Trojan.Fakealert.54571525194 (1.98%)
17Win32.HLLM.Beagle1273271 (1.65%)
18Win32.HLLM.MyDoom.338081015421 (1.32%)
19Trojan.Siggen.18256886946 (1.15%)
20Trojan.Proxy.7778839487 (1.09%)

Total scanned:78,826,014,338
Infected:77,187,250 (0.0979%)

Viruses detected on user machines in November

 01.11.2009 00:00 - 01.12.2009 00:00 
1Win32.HLLW.Gavir.ini568913 (4.92%)
2Win32.HLLW.Shadow.based518583 (4.49%)
3Trojan.WinSpy.282449187 (3.89%)
4Trojan.Redirect.11441590 (3.82%)
5Trojan.SqlShell.9382913 (3.31%)
6Win32.Sector.17346204 (3.00%)
7Trojan.WinSpy.247312848 (2.71%)
8Trojan.AppActXComp303650 (2.63%)
9Trojan.AuxSpy.74272309 (2.36%)
10Win32.Alman.1256652 (2.22%)
11Win32.HLLW.Shadow233635 (2.02%)
12Win32.HLLW.Autoruner.5555220766 (1.91%)
13Trojan.Starter.881201548 (1.74%)
14Win32.Rammstein.13346196029 (1.70%)
15VBS.Autoruner.8186965 (1.62%)
16VBS.Autoruner.4183627 (1.59%)
17Trojan.NtRootKit.4672136259 (1.18%)
18Trojan.PWS.Multi.110131735 (1.14%)
19Trojan.AuxSpy.75123839 (1.07%)
20Trojan.AuxSpy.72123398 (1.07%)

Total scanned:92,781,494,382
Infected:11,558,593 (0.0125%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124