{
	"id": "3545366c-4f0d-419d-aab8-dd42bca37caf",
	"created_at": "2026-04-06T00:21:28.941049Z",
	"updated_at": "2026-04-10T03:21:54.705028Z",
	"deleted_at": null,
	"sha1_hash": "28115fa5229c4ef9e2b890e078b349eba559fb43",
	"title": "W32.Tidserv.G Technical Details | Symantec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44664,
	"plain_text": "W32.Tidserv.G Technical Details | Symantec\r\nArchived: 2026-04-02 11:28:00 UTC\r\nWhen the worm executes, it copies itself as the following file:\r\n%Windir%\\Temp\\[RANDOM NUMBERS].tmp\r\nThe worm spreads by copying itself to all drive letters available on the compromised computer, including removable drives\r\nand mapped network shares, as the following file:\r\n%DriveLetter%\\RECYCLER\\S-[RANDOM CHARACTERS].com\r\nWhen the above file is executed, the worm creates a mutex and also creates the following new copy of itself:\r\n%DriveLetter%\\RECYCLER\\S-[RANDOM CHARACTERS].com\r\nIt then deletes the original file.\r\nNext, the worm creates the following file so that it runs whenever removable drives are connected to another computer:\r\n%DriveLetter%\\autorun.inf\r\nIt then drops the following file:\r\n%Temp%\\tmp[RANDOM NUMBERS].tmp\r\nNote: The above file is actually a .dll file.\r\nThe threat copies the legitimate file %System%\\msi.dll to %Temp%\\tmp[RANDOM NUMBERS].tmp. The copy of the file\r\nis then modified to include some of the worms own code.\r\nIt then modifies structures in the computer memory to redirect system calls for the MSIserver service to load the modified\r\ncopy. This will result in the execution of the worm code.\r\nThe worm may then create the following registry entries:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\\"PendingFileRenameOperations\" =\r\n\"[RANDOM HEXADECIMAL CHARACTERS]\"\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\Root\\LEGACY_MSISERVER\\0000\\Control\\\"ActiveService\"\r\n= \"MSIServer\"\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session\r\nManager\\\"PendingFileRenameOperations\" = \"[RANDOM HEXADECIMAL CHARACTERS]\"\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_MSISERVER\\0000\\Control\\\"ActiveServi\r\n= \"MSIServer\"\r\nThe worm deletes the browser history from the following applications:\r\nFirefox\r\nInternet Explorer\r\nOpera\r\nSafari\r\nChrome\r\nIt then downloads another malicious component using a HTTP POST command to the following address:\r\n94.247.2.107/cgi-bin/generator\r\nhttps://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99\u0026tabid=2\r\nPage 1 of 3\n\nNote: The POST data contains 45 bytes of information on how to encrypt the response. It also serves as authentication to the\r\nserver so that only the malicious component of the worm can download the payload.\r\nIt saves the above file as the following file and executes it:\r\n%Windir%\\tempo-[RANDOM NUMBERS].tmp\r\nIt changes the DNS settings for all network connections to two of the following IP addresses:\r\n85.255.112.67\r\n85.255.112.170\r\n85.255.112.60\r\n85.255.112.82\r\nThe worm drops a kernel driver to the following location:\r\n%System%\\drivers\\gaopdxserv.sys\r\nNote: The driver is loaded by creating the following registry subkey:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\currentcontrolset\\services\\gaopdxserv.sys\r\nThe kernel driver removes traces of itself when it is loaded by deleting the following registry subkey:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\currentcontrolset\\enum\\root\\legacy_gaopdxserv.sys\r\nIt also denies the following processes Internet access:\r\navp.exe\r\nklif.sys\r\nmrt.exe\r\nspybotsd.exe\r\nsasdifsv.sys\r\nsaskutil.sys\r\nsasenum.sys\r\nsuperantispyware.exe\r\nszkg.sys\r\nszserver.exe\r\nmbam.exe\r\nmbamswissarmy.sys\r\npctssvc.sys\r\npctcore.sys\r\nmchinjdrv.sys\r\nThe worm injects the following file into the svchost.exe process:\r\n%SystemDrive%\\system32\\gaopdxl.dll\r\nIt creates the following registry subkey to store data about the worm:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\gaopdx\r\nIt hides files and registry subkeys that have the following prefix:\r\ngaopdx\r\nThe worm modifies the DNS entries on the compromised computer. In case of an infection in a Server/Client environment,\r\nclients on a compromised network might acquire malicious DNS addresses from an infected server (without actually being\r\ninfected itself), redirecting queries to an address controlled by the remote attacker.\r\nhttps://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99\u0026tabid=2\r\nPage 2 of 3\n\nThe worm acts as a DHCP server for all computers on the compromised computer's LAN, serving the following malicious\r\nDNS addresses to redirect all DNS queries to an address controlled by the remote attacker:\r\n64.86.133.51 (primary)\r\n63.243.173.162 (secondary)\r\nThe worm may also download potentially malicious files on to the compromised computer.\r\nSymantec Security Response encourages all users and administrators to adhere to the following basic security \"best\r\npractices\":\r\nSource: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99\u0026tabid=2\r\nhttps://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99\u0026tabid=2\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99\u0026tabid=2"
	],
	"report_names": [
		"writeup.jsp?docid=2009-032211-2952-99\u0026tabid=2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434888,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/28115fa5229c4ef9e2b890e078b349eba559fb43.pdf",
		"text": "https://archive.orkl.eu/28115fa5229c4ef9e2b890e078b349eba559fb43.txt",
		"img": "https://archive.orkl.eu/28115fa5229c4ef9e2b890e078b349eba559fb43.jpg"
	}
}