Hi malware fighters,
"The Alurion or TDL3 rootkit is causing great problems for almost all av scanners",
according to the maker of Hitman Pro.
See:
http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.htmlThe Hitman Pro 3 malware scanner is able to recognize mentioned malicious software,
and also capable to remove it.
Recently also PreVX warned against this rootkit, that is spreading like hayfire through the Internet.
Re:
http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html“The malcreants that made TDL3 use very advanced methods to circumvent av detection”,
according to Dutch developer, Mark Loman.
“The rootkit will lift on the back of a standard driver which may seriously complicate detection.”
The first variant of this rootkit, also known as Alureon,
appeared in the summer of the previous year and is still missed by numerous av solutions.
Last summer a second variant of the malware appeared,
while during November a third variant emerged.
TDL3 will register itself as a print processor.
The printer subsystem (spoolsv.exe), that has system rights,
will load this Print Processor accordingly.
TDL3 will go unnoticed AV solution that also will monitor process behavior won't flag these activities,
because the printer subsystem forms a trusted part of Windows.
As print processor TDL3 will now own full systemrights to infect the lowest system driver,
responsible for communication with the hard disk.
Whenever av solutions will chec on this driver, they will be presented with the original file,
so infection will go unnoticed.
Furthermore TDL3 will place an encrypted file system on the last sectors of the hard disk
on top of the existing traditional file system.
This encryption will make that these files can not be directly read from disk,
making detection by av solutions almost impossible.
The encryption file system comes in handy to download all sorts of further malware unto it
that come in from the Internet.
Other malcreants will cooperate with the makers of TDL3 to hide their malcreations in this way.
According to Surfright, the presenter of Hitman Pro,
the number of av solution that can detect a TDL3 at the moment is very limited.
"And the av solutions that can really remove it are almost zero."
Hitman Pro 3 is able to scan machines from a pendrive, USB stick,CD/DVD, local hard drive or network disk
within a couple of minutes.
It can also be used as an addition to your existing av solution.
Scanning with it is free, so the effectivity of your current av solution can be verified also.
The 5MB anti-virus program can be downloaded from here:
http://www.surfright.nl/en/downloadsEnjoy,
polonus
