Backdoor.Tidserv first came to light in back in 2008 as a Trojan that uses an advanced rootkit to hide itself. Since then, Symantec has seen many changes to Tidserv and we have documented a number of the changes in our blog postings. Yesterday, Symantec came across a new sample of Tidserv that we have broken out detection for as Backdoor.Tidserv.L and Boot.Tidserv.
This new variant of Tidserv is of interest for two main reasons. First, we are now seeing Tidserv inject user-mode code into Windows 64-bit driver processes found in the likes of 64-bit Windows versions. Previously, Tidserv targeted only 32-bit operating systems. Although this is not the first virus to inject code into 64-bit processes, it is still a relatively new venture for virus writers. It also demonstrates how the creators of Tidserv are constantly evolving the threat to ensure the maximum infiltration of potential victim operating systems. Secondly, Tidserv is now infecting the Master Boot Record (MBR) of the compromised computer, allowing it to gain control before the operating system is loaded. The main Tidserv components are stored in unused space at the end of the hard drive in encrypted form. This makes it more difficult to detect and remove once a computer is infected. Below is an image of the infected disk:
Again, this is not the first virus to use this technique and in the past we have blogged about other threats such as Trojan.Mebroot and Trojan.Mebratix, which use similar techniques. In our analysis so far, when infecting a 64-bit Edition of Windows, we found that it causes the computer to reboot during infection. On reboot it will load Backdoor.Tidserv.L from the MBR boot sector. Analysis of this threat is currently ongoing and we expect to have further blog(s) shortly, so please stay tuned for further updates.
As always, Symantec recommends that you keep your definitions up to date in order to ensure protection against these threats and others.