Discovered: September 18, 2008
Updated: November 18, 2013 9:34:23 AM
Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend], Win32/Alureon [Microsoft], Trojan-Dropper.Win32.TDSS [Kaspersky], Packed.Win32.TDSS [Kaspersky],
Type: Trojan
Systems Affected: Windows

Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.

In addition to the Backdoor.Tidserv family title, this Trojan is also known as Alureon , TDSS and TDL (multiple versions such as TDL-3 or TDL-4 ).

Infection
This Trojan is typically distributed using a number of means common to many other well-known threats. Namely it has been observed to be spread by fake blogs rigged with URLs to sensational videos that "must be seen" or bogus blog or forum comments with similar baits. The Trojan may also be found in fake Torrent files and P2P downloads, cracks and warez Web sites, and also hacked legitimate and fake Web sites rigged with exploits for various vulnerabilities allowing for what is known as a "drive-by download" to occur.


Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.

The Trojan may, for example, manipulate Web search results so that users are redirected to sites that are affiliated with the Trojan's authors. It may also redirect users to sites hosting Misleading Applications that are likely associated with the pay-per-install income model. The Trojan may also periodically display pop-up advertisements for various products and services, as well as further Misleading Applications. From time to time, it may also contact remote servers for software or updates to itself or its configuration files, making it a versatile and extensible threat.

If all of the techniques mentioned above fail to generate the appropriate response from the user, the Trojan may also directly download other malicious software and Misleading Applications to ensure that at least some income is generated by each infection.

The Trojan also has highly developed stealth capabilities, employing techniques rarely seen in other, less professionally written malicious code. The Trojan infects a system driver file with its own code. The code in the infected driver file acts as a rootkit and loader that directs the computer to load its main routines. The main routines are encrypted and hidden somewhere in the last sectors of the hard disk. The rootkit functionality of the Trojan provides effective cover for the Trojan. Any queries from the operating system about the affected driver file or the disk sectors will return a clean result. No other tell tale symptoms or indicators are seen, unlike with other, more conventional malicious code threats.

More recent variants also manipulate the Master Boot Record (MBR) of the computer to ensure that it is loaded early during the boot up process so that it can interfere with the loading of the operating system.



"Blue Screen of Death" incidents
Recent reports of a spate of Blue Screen of Death (BSOD) incidents began to emerge following Microsoft's monthly patch release for February 9th, 2010. On further investigation it has been determined that many of these incidents were caused by the Microsoft patches accidentally disrupting the chain of execution assumed by the Trojan when patching and hooking the system files. The net result of this is that when the system file APIs are called, the addresses returned by the newly updated files are no longer where the Trojan assumed them to be and this results in an invalid address, thereby causing the error.

The latest news flash has been that the Tidserv gang have patched their rootkit to avoid the infinite reboot issue due to API offsets changes in the kernel module introduced by MS10-015. Research testing showed the infected drivers were indeed able to cope with changes in the kernel API offsets. In order to achieve that they now use hash functions on required API names to retrieve their addresses on the fly, a technique known to have been used in viruses and other threats for years, and yet they had to disable most of their bot network in order to use it. Statistically it has been shown that the number of bugs in a program is proportional to its complexity, or it's source code size. It's a well known fact that in kernel mode, the smallest mistake leads, in most cases, to a BSoD. This may mark the beginning of the end of an otherwise advanced rootkit.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.









PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.






SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures



Antivirus (heuristic/generic)


    Browser protection
    Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


    Intrusion Prevention System

    Antivirus Protection Dates

    • Initial Rapid Release version September 18, 2008 revision 007
    • Latest Rapid Release version July 15, 2018 revision 005
    • Initial Daily Certified version September 18, 2008 revision 008
    • Latest Daily Certified version July 15, 2018 revision 002
    • Initial Weekly Certified release date September 24, 2008

    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

    Writeup By: Hon Lau

    Discovered: September 18, 2008
    Updated: November 18, 2013 9:34:23 AM
    Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend], Win32/Alureon [Microsoft], Trojan-Dropper.Win32.TDSS [Kaspersky], Packed.Win32.TDSS [Kaspersky],
    Type: Trojan
    Systems Affected: Windows

    1. Prevention and avoidance
    1.1 User behavior and precautions
    1.2 Patch operating system and software

    1.3 Address blocking

    2. Infection method
    2.1 Forums and blogs
    2.2 Hacked websites
    2.3 File sharing, cracks, and warez
    2.4 Affiliate schemes
    3. Functionality
    3.1. System modifications
    3.2. Network activity
    3.3. Rootkit functionality
    4. Additional information




    1. PREVENTION AND AVOIDANCE
    The following actions can be taken to avoid or minimize the risk from this threat.


    1.1 User behavior and precautions
    This threat may be spread by users actively clicking on links posted to certain forums or blogs found on the Web. A social engineering lure is often used by the malware creators; a common technique is to add some kind of salacious or sensational news or a statement that will pique the user's interest and entice them to click on the bogus links.

    Users can mitigate the risk of infection by being careful about clicking links found on Web sites, such as blogs and forums where there is potentially little control or quality checks on the content. Basic checks such as hovering with the mouse pointer over the link will normally show where the link leads to. Users can also check online Web site rating services such as safeweb.norton.com to see if the site is deemed safe to visit.

    When performing searches in search engines, treat any results returned with caution and double-check them before following the links. If pop-up advertisements are displayed, do not click on them or follow any links within them.

    Users should be wary of any sites or services offering free downloads of copyrighted content, such as music, videos, or cracked software. These are often booby-trapped with malicious software and are a known method by way of which this threat can spread. Promiscuous file-sharing may also increase the risk of compromise.

    If the user is offered an unfamiliar security product by way of pop-ups or other similar methods while browsing the Web, they should exercise extreme caution and, if in doubt, not download and install the software. It is generally safer to buy from a well-known or trusted brand site or buy a product that can be physically bought from your local shop.


    1.2 Patch operating system and software
    Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.


    1.3 Address blocking
    Block access to the following addresses using a firewall, router, or add entries to the local hosts file to redirect the following addresses to 127.0.0.1:

    • 1il1il1il.com
    • 69b69b6b96b.com
    • b00882244.cn
    • b11335599.cn
    • countri1l.com
    • d45648675.cn
    • d92378523.cn
    • gnarenyawr.com
    • ikaturi11.com
    • jukdoout0.com
    • lkaturl71.com
    • m3131313.cn
    • ranmjyuke.com
    • rinderwayr.com
    • stableclick.com
    • stableclick2.com
    • swltcho0.com
    • updatemic0.com
    • updatemic1.cn
    • updatepanel.us

    Note: The domains used by this threat change frequently.



    2. INFECTION METHOD
    This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.


    2.1 Forums and blogs
    Web 2.0-type services have enabled a whole new world of user participation and interaction not previously possible. Services such as blogs and social networking sites make it much easier for individuals and businesses to reach out to a far larger audience than they otherwise would be able to by traditional means. The substantial increase in audience reach is a power that is not lost on malware authors too.

    A typical attack scenario involves the attackers identifying a high-traffic blog or forum with a commenting feature available that allows anonymous comments. A comment with some sensational content may then be added. Typically it may purport to send the user to a video of some event, such as the death of a celebrity or some world disaster -- just about any event that is likely to cause a stir around the world. One such event was the release of the Google Wave service in October 2009. The attackers made use of that event to deliver Backdoor.Tidserv to many unsuspecting users.

    One example attack was launched by seeding bogus postings to many different discussion forums. Note the social engineering tricks used to gain trust in the example below. The attacker starts off by explaining that they are a long-time user of the forum and then ends with reassurance that the link is good by referring to a clean result from VirusTotal.




    2.2 Hacked websites
    Legitimate and sometimes well-known Web sites may fall victim to hack attacks, leading to the planting of malicious code, such as hidden IFRAME tags within their content. This may occur due to incorrectly configured and/or secured servers that may be vulnerable to attacks, allowing an attacker to gain access to the contents of the server.

    A well-known technique employing Web and database server hacking involves the so-called SQL injection attacks. Any sites using Web forms backed by a database server may be vulnerable and can succumb to these attacks if any part of the system is not properly secured. If an attack on the server is successful, the attackers may manipulate Web pages by adding extra code at the top or bottom of the page or, if the server is a database, the contents of the database may be manipulated to include links to URLs of the attacker's choice.


    2.3 File sharing, cracks, and warez
    There are literally masses of pirated content available on the Web, which implies that many people are not prepared to pay for the content and instead go searching for the latest music or videos instead of buying it from a trusted source. This offers a very real and profitable distribution channel for any would-be malware supplier. Since suppliers of illegal content are not officially identified, verified, or tracked it is very easy for a malware creator to make available a new malware file, give it a file name that is related to current and popular content search terms, and then sit back and wait for the downloads to begin.


    2.4 Affiliate schemes
    There are schemes available on the Internet that promise to pay cash for generating traffic or, in this case, a pay-per-install revenue model where a certain amount of cash is credited for each computer that is installed with some software. While many affiliate schemes are legitimate, there are some who either turn a blind eye to how their members are gaining market share or actively using underhanded tactics to achieve their aims.

    Distribution of this threat is most likely driven and aided to a great extent by affiliate schemes. We are aware of at least one affiliate scheme that has been distributing Backdoor.Tidserv on a pay-per-install basis for some time.



    The affiliate schemes typically pay a very small sum of money for each installation. For one of the schemes the sum is $0.15 USD. In order to make any significant profit, those involved in this business must upscale their abilities to push and distribute the software. For owners of bot networks with hundreds of thousands of nodes, it can present a not-to-be-missed, profit-making opportunity. For example, take a typical botnet with 200,000 nodes. If all of the bots were successfully instructed to download and install the software, it could earn the controllers of the botnet in the region of $30,000.

    Since there is potentially such a large financial gain to be made from signing up for these affiliate services, it is understandable that there are many enterprising people around the world who are happy to sign up and use any means possible (including illegal ones) to get the software onto as many computers as possible.



    3. FUNCTIONALITY
    Backdoor.Tidserv is primarily a profit-making enterprise and as such it aims to try to stay undetected on a compromised computer for as long as possible. It tries to do this by using advanced stealth techniques including a rootkit to hide traces of itself and its activities.

    Once it is successfully installed on a computer, its primary purpose is to perform activities that will help to generate revenue for those behind the attack. Therefore it comes as no surprise to find that its payload performs activities that are aimed at making the user visit Web sites that are associated with money-making schemes and also download and install software that they do not necessarily need or want.


    3.1 System modifications
    The following side effects may be observed on computers compromised by this Trojan. It should be noted that the threat uses a rootkit and other advanced stealth techniques to hide itself and its side effects. Upon successful installation and execution, any changes may not be visible on the compromised computer except where specialist tools are used to reveal them.


    File creation
    The following file(s) may be seen on the compromised computer.
    • %System%\spool\prtprocs\[TEMPORARY FILE NAME].tmp (Initial executable file)
    • %System%\drivers\TDSServ.sys
    • %System%\TDSS[RANDOM VALUE].log
    • %System%\TDSS[RANDOM VALUE].dat
    • %System%\TDSS[RANDOM VALUE].dll
    • %System%\drivers\H8SRTd.sys

    File deletion
    The following file(s) may be deleted from the compromised computer.
    %System%\spool\prtprocs\[TEMPORARY FILE NAME].tmp (Initial executable file)


    File modification
    The following file(s) may be modified on the compromised computer.
    • atapi.sys (file infection)
    • advapi32.dll (file infection)
    • iastor.sys (file infection)
    • idechndr.sys (file infection)
    • ndis.sys (file infection)
    • nvata.sys (file infection)
    • vmscsi.sys (file infection)

    The infection of system drivers and low level system files may cause instability in the operating system. It has been observed that certain computers infected by Backdoor.Tidserv may experience a Blue Screen of Death (BSOD) error after applying the Microsoft patches from February 9th, 2010.





    Installation
    During installation, the threat will cause spoolsv.exe (print spooler) to load the code for the threat. The code loaded into memory may hold one or more of the following logical files:
    • tdlwsp.dll (for hooking search queries)
    • tdlcmd.dll (main back door functionality)
    • config.ini (configuration details)

    More information on the functionality of these files is as follows:


    tdlcmd.dll
    This file contains code to perform the following activities:
    • Download, decrypt, and execute files.
    • Update the configuration file.

    tdlwsp.dll
    The file contains code to perform the following activities (the latest variants have the functionality of tdlwsp.dll incorporated into tdlcmd.dll):
    • Hook Winsock routines to allow it to examine network traffic.
    • Log search engine strings and send them to a remote computer.
    • Inject or build HTTP responses so that it may modify or replace Web content returned by a Web server during a browsing session.

    config.ini
    This is a configuration file detailing bot identifiers, version information and other parameters.

    Here is a sample config.ini file:

    [main]
    quote=Tomorrow will be the most beautiful day of Raymond K. Hessel's life
    version=3.241
    botid=xxxxx
    affid=20273
    subid=0
    installdate=7.2.2010 16:8:33
    builddate=7.2.2010 15:1:5
    [injector]
    *=tdlcmd.dll
    [tdlcmd]
    servers=https://d45648675.cn/;https://d92378523.cn/;https://91.212.226.62/
    wspservers=http://b11335599.cn/;http://b00882244.cn/
    popupservers=http://m3131313.cn/
    clkservers=http://clkmfd001.ws/
    version=3.64
    delay=7200
    [tasks]
    tdlcmd.dll=https://91.212.226.64/pOxhFds1itxq

    Once the code for the threat is installed, it deletes the original executable file that was executed and by doing this removes any obvious traces of its presence on the file system. Next, it infects one of the lowest level of drivers (atapi.sys) and manipulates it to load the threat when the computer is started.

    It then creates an RC4-encrypted file system (the key used is "tdl") on the last sectors of the hard disk and stores the logical files (tdlwsp.dll, tdlcmd.dll, config.ini, and the original portion of the infected driver file) from the memory in the newly created file system. Once these actions are completed, there will be no visible traces of the threat when examining the file system of the computer except, eventually, for a change in the size of the infected driver file.

    After the computer is restarted, the infected driver file (atapi.sys) will load the threat from the end sectors of the hard disk. It will create the hooks for the rootkit to do its job as well as injecting the code from tdlcmd.dll into all processes or into specific processes as defined in the config.ini file.


    Manipulation of the Master Boot Record
    More recent variants of Tidserv such as variant Backdoor.Tidserv.L (since August 2010) and Backdoor.Tidserv.M (January 2011) have adopted a technique pioneered by another sophisticated threat, Trojan.Mebroot . The technique involves replacing the existing MBR with another copy that enables the threat to get loaded first during the boot up process. The original MBR and components used by the threat is then copied to sectors of the hard disk that are unknown to the operating system, usually located in slack space after the end of the main partitions.



    The MBR technique enables the threat to gain full control over the computer as it will be loaded even before the operating system. It takes advantage of the early loading to manipulate the boot up process to bypass security measures and ensure that it is executed each time the operating system is started.



    Registry subkeys and entries created
    • HKEY_CURRENT_USER\Software\Mozilla\affid=
    • HKEY_CURRENT_USER\Software\Mozilla\subid=
    • HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT\injectors
    • HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT
    • HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys

    Registry subkeys/entries deleted
    No registry keys or entries are deleted.


    Registry subkeys/entries modified (final values given)
    No registry keys or entries are modified.


    3.2 Network activity
    The threat may be controlled remotely by a command-and-control (C&C) server. In particular it may be instructed to download and install various files which are related to other malicious threats.

    The threat may perform the following network activities.

    Downloading
    The following download activities may be performed by the threat:
    • Download, decrypt, and execute files.
    • Download a new configuration file.

    The following domains have been noted to be contacted by this threat:
    • 1il1il1il.com
    • 69b69b6b96b.com
    • b00882244.cn
    • b11335599.cn
    • countri1l.com
    • d45648675.cn
    • d92378523.cn
    • gnarenyawr.com
    • ikaturi11.com
    • jukdoout0.com
    • lkaturl71.com
    • m3131313.cn
    • ranmjyuke.com
    • rinderwayr.com
    • stableclick.com
    • stableclick2.com
    • swltcho0.com
    • updatemic0.com
    • updatemic1.cn
    • updatepanel.us

    The threat may also download other malware threats onto the computer. The downloaded files may use the following prefixes in their file names:
    • UAC
    • EQSUL
    • Gaopdx
    • kbwik
    • rotscx
    • kungs
    • vsf
    • gasfky

    Uploading
    Strings used by the user in search engine queries are gathered and sent to remote computers. The following domains have been noted but are subject to change, since configuration files are updated regularly.
    • d45648675.cn
    • d92378523.cn
    • b11335599.cn
    • b00882244.cn
    • m3131313.cn
    • updatepanel.us
    • stableclick.com
    • stableclick2.com
    • updatemic0.com
    • updatemic1.cn

    Other network activity
    The threat will constantly monitor the user's browser activity. It may watch for URLs requested that contain strings for many popular search engines including:
    • google.com
    • yahoo.com
    • bing.com
    • live.com
    • ask.com
    • aol.com
    • google-analytics.com
    • yimg.com

    When it identifies such a URL, it will try to extract the parameters from the URL such as "q=" or "query=". In addition it will also either block or redirect the HTTP request.

    The threat may also query the C&C server by sending it URLs. The C&C server may instruct the threat to perform a range of activities including actions such as injecting JavaScript into the response to redirect the browser to another page, initiating a go-back step in the Web browser or a HTTP 302 redirect to another page.

    It also parses incoming responses from sent requests to check for any forbidden URLs. Fake content is injected into the response to replace the forbidden content. The response is also checked to see if any pop-up advertisements or misleading application Web sites should be displayed. For example if a user was searching for antivirus or some IT security threat, the Trojan may redirect the browser to visit a site that is hosting a misleading application or a fake antivirus scanner.



    By hijacking the search results in this manner, the threat is exploiting the user's trust in the brand of the search engine that they are using. It also allows the threat to know specifically what the user is looking for and it can then supply convincing and targeted alternatives that can make money for the attackers. The context-sensitive nature of this technique increases the likelihood of its success.


    3.3 Rootkit functionality
    The threat uses an advanced rootkit and stealth techniques that provide highly effective cover from detection. It achieves this by:
    • Hiding its own files in the end sectors of the hard disk, bypassing the traditional file system.
    • Hiding the end sectors of the hard disk; the threat returns a 0-byte buffer when any other applications attempt to access or query the protected sectors.
    • Removing itself from the list of loaded drivers.
    • Infecting the lowest level of drivers and then returning the clean areas of the file when it is read by other processes.



    4. ADDITIONAL INFORMATION
    For more information relating to this threat family, please see the following resources:

    Blog entries on Backdoor.Tidserv

    Recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
    • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
    • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
    • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
    • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
    • For further information on the terms used in this document, please refer to the Security Response glossary.

    Writeup By: Hon Lau

    Discovered: September 18, 2008
    Updated: November 18, 2013 9:34:23 AM
    Also Known As: Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend], Win32/Alureon [Microsoft], Trojan-Dropper.Win32.TDSS [Kaspersky], Packed.Win32.TDSS [Kaspersky],
    Type: Trojan
    Systems Affected: Windows

    You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

    Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



    FOR BUSINESS CUSTOMERS
    If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

    Identifying and submitting suspect files
    Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.



    Removal Tool

    If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


    How to reduce the risk of infection
    The following resource provides further information and best practices to help reduce the risk of infection.
    Protecting your business network



    FOR NORTON CUSTOMERS
    If you are a Norton product user, we recommend you try the following resources to remove this risk.

    Removal Tool

    If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


    How to reduce the risk of infection
    The following resources provide further information and best practices to help reduce the risk of infection.



    =============
    MANUAL REMOVAL
    =============
    The following instructions pertain to all current Symantec antivirus products.

    1. Performing a full system scan
    How to run a full system scan using your Symantec product


    2. Restoring settings in the registry
    Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

    Writeup By: Hon Lau