1

TDSS Fake Partition and Internet Redirect

Posted on 1st December 2011

Anyone that does tech support on a workstation level, may be familiar with a strain of a Windows viruses known as TDSS. TDSS is not commonly able to be detected by most anti-virus scanners out there, and can be contracted through a bad web link or even attached to an email. A brief overview of TDSS can be found over at the Trend Micro website. Trend Micro is known for both consumer retail produts, as well as business level products that deal with malware, spam, and firewalls. Kaspersky, another anti-virus product, has a free tool that is able to remove most versions of the TDSS virus called TDSSKILLER. This free utility is quick to find and destroy the TDSS virus, but a new strain has surfaced that has to be removed manually.

The newest TDSS is known to create a fake partition on the primary drive, make the tiny partition active, and also carry a boot sector. The partition is then able to re-install the virus if it is removed by normal means with each system reboot. It can also block the execution of the TDSSKILLER application, even if the exe is named something different.

Update 12/9/11: Another symptom that can be seen with this strain, is that the user's desktop icons as well as start menu entries are missing. The virus hides almost everything in the Documents and Settings folder and has to have all of those attributes reset. This can be done by hand. At this time, I do not have a program to recommend to do the reset for you, but a quick google search can reveal several possibilities. I was also able to see rouge programs stored in the All Users folder and removed those by hand.

In this removal walkthrough, the client computer was also suffering a internet redirecter which had to be removed by hand as well. The redirector has been called “Get-Answers-Fast.com” and redirects links primarily to either get-answers-fast.com or to 63.209.69.107. Just like with the TDSS partition virus, this particular piece of malware was not removed by common anti-virus or anti-spyware software. I will cover the manual removal of both the redirector and the new TDSS virus in detail.

NOTE: These directions pertain to Windows XP and have not been tested on Vista or 7.

Preparing:

A few items will be needed prior to removal/inspection of the TDSS and Redirect malware:

  • Live CD with partition tools (Ubuntu or Kbuntu with gparted installed for GUI view of the partition table). Acronis Disk Director is another option.
  • XP Recovery Console or another windows installation to repair the Master Boot Record.
  • TDSSKILLER.exe downloaded from Kaspersky Labs.
  • (OPTIONAL) Download MBRFix if you do not have a way to run the windows fixmbr command from the recovery console. I had to use this utility to fix the boot sector though a Windows 7 install on another computer.

Repair TDSS:

The first step in this process, is to verify that we do in fact have the partition TDSS virus. This can be down by hitting Windows+R on your keyboard to pull up a Run dialog. Here, you can enter diskmgmt.msc to bring up the Disk Management console window. What you are looking for, is a partition that is smaller then 10MB, does not have a drive letter assigned to it, and shows active. This partition is usually shown at the end of the primary drive and can be formated as a FAT drive.

Once verified, it is time to boot into a partition manager of your choice. I booted into a Ubuntu Live CD and fired up gparted. I then deleted the 2MB partition and set the primary partition (should be the drive that has the NTDLR and boot.ini files, usually installed on the same partition as c:/windows) as active. Acronis Disk Director is also a great tool for this.

Once the above is completed, it is time to reboot the system and see if Windows boots. In my case, I was presented with a Network Boot prompt which meant that the master boot sector on the physical drive, had been corrupted by the virus. This can easily be fixed by pulling out the Windows XP install cd, and launching the recovery console. Once in the console and after you select the operating system, you can enter the command:

fixmbr \Device\HardDisk0

Make sure that HardDisk0 is the correct physical drive. Please see this reference for the fixmbr command. Once applied, you can reboot the system and Windows should load as normal. For me, the recovery console would crash with a generic hardware error on the laptop. To fix this, I pulled the drive out of the unit and connected it to a Windows 7 tower and ran the MBRFix program in a command prompt. I entered the following command:

MbrFix /drive 1 fixmbr

The command’s reference is here. I used drive 1 as the laptop drive was the second drive on the SATA bus. You can use the MBRFix command to list the drives if you are in doubt about which number you need to use.

Once the system is back up, open the Disk Management console to make sure that the hidden 2MB partition was not showing anymore. ONce verified, run the TDSSKILLER.exe and allowed it to scan the system. I did not find any threats, but it is better to make sure that you don’t have one of the old versions. If you do not have the redirector mentioned above, you can then proceed with running a full scan with the anti-virus of your choice.

Repair the Redirector:

The redirector requires a few files to be deleted from the system. Boot into Windows XP Safe Mode and then go to Internet Options in the Control Panel. Navigate to the last tab and click the Restore advanced settings and then the reset button. You may wish to make sure that the checkbox labeled “Delete personal settings” is checked so that all of the temporary files, cookies, and anything else that is not required will be deleted. Make sure that you re-enter your homepage since this option removes that as well. This will not remove your favorites.

Next, we will open explorer and navigate to the following files and delete if they exist.

  • C:\Documents and Settings\All Users\Application Data\mazuki.dll
  • C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
  • C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
  • C:\WINDOWS\system\BCBSMP35.BPL
  • C:\WINDOWS\system32\sstray.exe

Restart the system into normal mode and test surf in Internet Explorer. Web links should now work normally and should no long be redirected to the get-answers-fast.com or 63.209.69.107 web site. If you are still experiencing redirects, you can run a winsock and hosts file reset tool. Trend Micro also has a tool called HijackThis which can help you look for rouge proxy servers.

Final Notes:

This method will only work with the particular version of the TDSS virus and redirector that I came across on the client laptop mentioned. I always like to run more then just the primary anti-virus software that I have installed. Some people have great luck with some of the free programs like AVG and Anti-Malwarebytes. Your milage with any of these programs may vary.

Discussion

  1. Chris

    Thank-you very much for this.. no idea how, but I suddenly started getting scareware pop-ups last Thursday. Ran MAMB, TDSSkiller and all the tools. It found all the stuff and deleted it, so I thought I was alright.

    A weird thing started happening on Saturday: my computer seemed perpetually frozen on Friday. I can delete icons off my desktop, delete whole files, the whole nine yards. When I reboot, it immediately reverts to how my desktop/computer looked on Friday. I tried booting from Win7 DVD to fix my startup files, to restore to a point last week and even to format/reinstall Windows: no nice. I even had the Win7 setup unmount/format my C: drive.. when I rebooted, you guessed it, I was back to “Friday”.

    I figure it’s probably using something junction-esque to create visible shortcuts on a fake C: partition. When I delete the items from my desktop, I’m just deleting those shortcuts.. so when I reboot, it just simply restores the shortcuts.

    Your info about the TDSS creating a fake partition w/ MBR filled in the blanks and made sense of what is happening for me. I’m away from home right now, but I’m going to use the Live CD and fix my MBR when I get home tomorrow..

    This is *nasty*: the only inkling I have something wrong is that Hijack this hiccups when you try to run it (with a weird registry error message) and my desktop/C: contents seem to be frozen in time (last Friday).

Leave a response

Your email address will not be published. Required fields are marked *

<