Hengelo, January 19, 2010. Occasionally a new virus appears that is clever enough to completely deceive anti virus programs. TDL3, a variant of the TDSS rootkit (also known as Alureon) is such a sophisticated virus that is causing sleepless nights for anti virus researchers. The first variant, TDL1, appeared in the summer of 2008 and is still capable to prevent detection by many anti virus programs. In the summer we saw the 2nd variant TDL2. "The TDL3 is one of the most sophisticated viruses I have seen", according to CEO Mark Loman. "The rootkit is piggybacking on a standard driver to avoid detection by anti virus programs."
TDL3 registers itself first as print processor. The printer subsystem (spoolsv.exe), that has administrative rights, loads this Print Processor. Virus scanners that monitor the behavior of processes will not be alarmed because the printer subsystem is a trusted part of Microsoft Windows. TDL3 has now full system access rights as Print Processor and infects the lower level system driver that is responsible for the communication with the hard drive. When virus scanners want to check this driver, they see the original file so they are unable to recognize the infection.
TDL3 places an encrypted file system on top of the standard file system on the last sectors of the hard drive. The encryption ensures that these files cannot be read directly from disk to avoid detection by anti virus programs. The encrypted file system is used to store other threats that are downloaded from the Internet. "It is like a hotel", says Mark Loman. "Other virus writers can book a room in this 'TDL3-hotel' and use it to hide their virus from anti virus programs".
The number of infected computers is growing quickly. The latest guest of the TDL3-hotel is redirecting search engines to malicious websites so many people refer to this as the Google Redirect Virus. There are only a few anti virus programs that detect a TDL3 infection. And the number of anti virus programs that can remove the infection is nearly zero.
Users can download a free version of Hitman Pro to detect and remove the TDL3 rootkit. Hitman Pro has already cleaned thousands of PC's that were infected.
Hitman Pro 3 can scan a computer in only a few minutes from a USB Flash Drive, CD/DVD, local or network attached hard drive and will quickly reveal the presence of any malware using a Behavioral Scan. The actual verification of these potential malware files is then done on the Hitman Pro servers, the "Scan Cloud", which incorporates a hosted multi-vendor scanning service. Hitman Pro 3 uses 7 different anti virus programs to analyze the suspicious files.
Hitman Pro 3 can be used in addition to your existing anti virus program. Scanning your PC is free so Hitman Pro 3 is an ideal solution to check if your current anti virus program is protecting you sufficiently. A free version can be downloaded from www.hitmanpro.com