The Silent Infection Indicators (quite difficult to identify) This infection is comprised of two very different components that work toward one cause, getting your money. Your money is the bottom line! First, you have the trojan element. It consists of a variety of files, some include rootkit elements. This component of the infection is not easily visible and is intent on staying hidden, running silently in the back ground, protecting itself and related files and downloading the rogue product.
The rootkit consists of a system driver located in the driver folder at C:\windows\system 32\drivers\TDSS****.sys (not viewable without special tools). The file name appears to be semi-random. The first half of the driver name is fairly consistently “TDSS”. The second half, represented here with an asterisk (*) varies from install to install. For example, across three installs, I had three different filenames: TDSSmxst.sys, TDSSliqp.sys, and TDSSosvn.sys – same file, different names. This rootkit recently has been accompanied by the file brastk.exe which shows up in two locations: C:\WINDOWS\system32\ and C:\WINDOWS. This file is not randomly named and stays generally static (for now). In some instances, this infection prevents common anti-rootkit tools from running. The infection makes a lot of registry changes, like: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata”.
(more…)
