Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Now You See Me, Now You Don’t

Created: 29 Jan 2010 21:13:08 GMT • Updated: 23 Jan 2014 18:29:53 GMT
Éamonn Young's picture
0 0 Votes
Login to vote

Backdoor.Tidserv.K

Often when a Trojan arrives on a computer, it saves itself to a specific location. It can save itself on the C: drive, the D: drive, or even somewhere more unusual; for example, in a location with a folder name that it has created itself using random characters. It may then go on to create or modify certain registry entries. It can do this so that it can execute every time your computer starts. Threats may also modify existing registry entries in order to perform devious tasks, such as lowering security settings on the computer by disabling firewalls and antivirus software.

At any rate it is typical for a threat to leave some trace of itself on the computer, which makes it possible to identify that the threat exists. Having said that, some threats may use a rootkit to hide their presence on a computer, thus making them more difficult to locate.

Recently, however, we detected a threat (Backdoor.Tidserv.K) that performs something of a vanishing act! After arriving on the computer, it proceeds to delete its presence (including some files and a registry subkey) on the computer, thus appearing to have stopped executing. All that remains of the Trojan is a dormant .dll (dynamic link library) file that resides in memory rather than the file system, which takes care of the dirty work.

The file only resumes operation when certain conditions arise, which are:

1.    Whenever the svchost.exe (a networking process) or the spoolsv.exe (a printer process) is executed.

2.    Whenever an Internet browser executes on the computer.

The Trojan is then able to steal certain information from the computer and send it to one of many predetermined locations, which the remote attacker has access to.

Have no fear, however, for even in cases like this, your Symantec antivirus software can come to the rescue! ☺ The threat will still need to access the hard drive at the beginning of its operation. It is at this point that Symantec antivirus can step in and detect the threat and subsequently remove it before it can perform any malicious tasks. So, what is the moral of this story? Keep your virus definitions up to date to prevent even the stealthiest of attackers from stealing your information!