Now You See Me, Now You Don’t

Backdoor.Tidserv.K
Often when a Trojan arrives on a computer, it saves itself to a specific location. It can save itself on the C: drive, the D: drive, or even somewhere more unusual; for example, in a location with a folder name that it has created itself using random characters. It may then go on to create or modify certain registry entries. It can do this so that it can execute every time your computer starts. Threats may also modify existing registry entries in order to perform devious tasks, such as lowering security settings on the computer by disabling firewalls and antivirus software.
At any rate it is typical for a threat to leave some trace of itself on the computer, which makes it possible to identify that the threat exists. Having said that, some threats may use a rootkit to hide their presence on a computer, thus making them more difficult to locate.
Recently, however, we detected a threat (Backdoor.Tidserv.K) that performs something of a vanishing act! After arriving on the computer, it proceeds to delete its presence (including some files and a registry subkey) on the computer, thus appearing to have stopped executing. All that remains of the Trojan is a dormant .dll (dynamic link library) file that resides in memory rather than the file system, which takes care of the dirty work.
The file only (continue reading...)