Alisa Shevchenko's Blog

Since December 2009 we have been collecting anonymous stats and malware samples from the TDSS Remover users. The following information has been derived from these statistics dated January through March 2010. Note that sending us statistics is optional, so, we are probably missing some actual data.

Below is a distribution chart of antivirus programs, that were installed on users’ systems at the same time with the TDSS infection.

Actually, we are not collecting deliberately antivirus software statistics. It’s because some security products block their files from reading (and thus trigger anomaly-based detection mechanism of the TDSS Remover), that these files appear in the reports allowing us to do some funny counting.

Back to the chart:
* Total percentage of antivirus-equipped systems among all reported cases is 12%, including less than 1% of clean reports.
* Kaspersky products were identified mostly by the fidbox*.* files, which are data indexing storage files, sometimes by encrypted executable files named klick.dat and klin.dat, and also by kernel drivers kl1.sys and klif.sys.
* Avast! is notable for almost a dozen of .sys files, all of them blocked from reading and appearing in the Remover’s output.
* Dr.Web has a single blocked file – dwprot.sys.
* Agnitum Outpost has three blocked files: afw.sys, afwcore.sys, and sandbox.sys.
* McAffee was identified by the encryption provider driver derived from SafeBoot.

Notes:
1. An antivirus may fail to detect a particular malware because of obsolete bases (a user’s fault). Howewer, it should not be a problem for an antivirus with good heuristics.
2. An antivirus that actually failed to cure the malware will not appear in our statistics, unless it implements any rootkit-like features.