W32/Tdibd-C

W32/Tdibd-C is a multi-component rootkit worm for the Windows platform.

When run W32/Tdibd-C creates the following files:

<System>\_tdiserv_\autorun.inf - detected as W32/Tdibd-C
<System>\_tdiserv_\setup.exe - detected as W32/Tdibd-C
<System>\_tdiserv_\reckey.dll - detected as W32/Tdibd-C
<System>\_tdiserv_\tdiupdate.sys - detected as W32/Tdibd-C
<System>\_tdiserv_\_tdicli_.exe - detected as W32/Tdibd-C
<System>\_tdiserv_\config.dat - non-malicious and can be safely deleted
<System>\_tdiserv_\guid.txt - non-malicious and can be safely deleted

W32/Tdibd-C also creates the following folders:
<System>\_tdiserv_\CacheFile
<System>\_tdiserv_\SendFile

W32/Tdibd-C sets the following registry entry to run <System>\_tdiserv_\_tdicli_.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
_tdiserv_
<System>\_tdiserv_\_tdicli_.exe

When run W32/Tdibd-C installs the rootkit <System>\_tdiserv_\tdiupdate.sys as a Windows service with the name "_tdiserv_HOOK" and a description of "TdiHook Update Driverr" and a startup of automatic. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY__TDISERV_HOOK\
HKLM\SYSTEM\CurrentControlSet\Services\_tdiserv_HOOK\

W32/Tdibd-C also spreads via removable drives by copying itself to <Root>\ms.config\setup.exe and creating the file <Root>\autorun.inf. The file <Root>\autorun.inf (also detected as W32/NTRootK-CD) is designed to run the worm when the removable drive is connected to an uninfected computer.

W32/Tdibd-C uses the file <System>\_tdiserv_\reckey.dll to record keystrokes and mouse movements, storing the information to files under:

<System>\_tdiserv_\CacheFile
<System>\_tdiserv_\SendFile