W32.Tidserv.G Technical Details | Symantec
Archived: 2026-04-02 11:28:00 UTC
When the worm executes, it copies itself as the following file:
%Windir%\Temp\[RANDOM NUMBERS].tmp
The worm spreads by copying itself to all drive letters available on the compromised computer, including removable drives
and mapped network shares, as the following file:
%DriveLetter%\RECYCLER\S-[RANDOM CHARACTERS].com
When the above file is executed, the worm creates a mutex and also creates the following new copy of itself:
%DriveLetter%\RECYCLER\S-[RANDOM CHARACTERS].com
It then deletes the original file.
Next, the worm creates the following file so that it runs whenever removable drives are connected to another computer:
%DriveLetter%\autorun.inf
It then drops the following file:
%Temp%\tmp[RANDOM NUMBERS].tmp
Note: The above file is actually a .dll file.
The threat copies the legitimate file %System%\msi.dll to %Temp%\tmp[RANDOM NUMBERS].tmp. The copy of the file
is then modified to include some of the worms own code.
It then modifies structures in the computer memory to redirect system calls for the MSIserver service to load the modified
copy. This will result in the execution of the worm code.
The worm may then create the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\"PendingFileRenameOperations" =
"[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSISERVER\0000\Control\"ActiveService"
= "MSIServer"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\"PendingFileRenameOperations" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSISERVER\0000\Control\"ActiveServi
= "MSIServer"
The worm deletes the browser history from the following applications:
Firefox
Internet Explorer
Opera
Safari
Chrome
It then downloads another malicious component using a HTTP POST command to the following address:
94.247.2.107/cgi-bin/generator
https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
Page 1 of 3

Note: The POST data contains 45 bytes of information on how to encrypt the response. It also serves as authentication to the
server so that only the malicious component of the worm can download the payload.
It saves the above file as the following file and executes it:
%Windir%\tempo-[RANDOM NUMBERS].tmp
It changes the DNS settings for all network connections to two of the following IP addresses:
85.255.112.67
85.255.112.170
85.255.112.60
85.255.112.82
The worm drops a kernel driver to the following location:
%System%\drivers\gaopdxserv.sys
Note: The driver is loaded by creating the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys
The kernel driver removes traces of itself when it is loaded by deleting the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\enum\root\legacy_gaopdxserv.sys
It also denies the following processes Internet access:
avp.exe
klif.sys
mrt.exe
spybotsd.exe
sasdifsv.sys
saskutil.sys
sasenum.sys
superantispyware.exe
szkg.sys
szserver.exe
mbam.exe
mbamswissarmy.sys
pctssvc.sys
pctcore.sys
mchinjdrv.sys
The worm injects the following file into the svchost.exe process:
%SystemDrive%\system32\gaopdxl.dll
It creates the following registry subkey to store data about the worm:
HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx
It hides files and registry subkeys that have the following prefix:
gaopdx
The worm modifies the DNS entries on the compromised computer. In case of an infection in a Server/Client environment,
clients on a compromised network might acquire malicious DNS addresses from an infected server (without actually being
infected itself), redirecting queries to an address controlled by the remote attacker.
https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
Page 2 of 3

The worm acts as a DHCP server for all computers on the compromised computer's LAN, serving the following malicious
DNS addresses to redirect all DNS queries to an address controlled by the remote attacker:
64.86.133.51 (primary)
63.243.173.162 (secondary)
The worm may also download potentially malicious files on to the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best
practices":
Source: https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
https://web.archive.org/web/20150923175837/http://www.symantec.com/security_response/writeup.jsp?docid=2009-032211-2952-99&tabid=2
Page 3 of 3