Free Removal Tool for TDL4 Available Now

The rootkit allows its creators to sell YOUR computer to cyber-criminals

If you have been connected to the pulse of the security world in the past few days, then you probably know that there’s a new bad guy in town, called TDL4. This rootkit-based e-threat is not what you would expect from a regular piece of malware: it is encrypted using custom algorithms, and will stay absolutely hidden on the system after it has successfully infected your system.

More than that, given the fact that it features one of the most advanced rootkits on the market, chances are that most antiviruses will fail to accurately identify it, let alone to remove it. Once run, TDL4 infects the Master Boot Record (MBR), which allows it to load its code before Windows starts up. This approach allows the rootkit to intercept critical system functions. The rootkit can infect both 32- and 64-bit versions of Windows, which makes it particularly more dangerous than other pieces of malware based in accompanied by drivers.

Technical details aside, the piece of malware (which has been around since 2008 and suffered four major upgrades) spreads through pornography websites, as well as through illegal file sharing repositories, where it is disguised as cracks or codecs. Moreover, infections with TDL4 have also been logged on computers that had been previously infected with Zeus bots, which prompts that the latter is responsible for downloading and installing the rootkit.

The rootkit itself has no damaging potential. Instead, it is used by other pieces of malware to conceal their presence on the computer, as well as to gain extra privileges on the operating users. By default, the rootkit comes with two components: a clicker module that allows its creators to stealthily redirect traffic to a variety of websites; a second module, called tdlcmd.dll implements botnet functionality by allowing the malware to receive commands from the botmaster, modify search results to display affiliate links or even abuse advertising programs by generating clicks on banners.

BitDefender has been monitoring the evolution of TDL4/TDSS ever since its emergence, when we offered our first removal tools for this e-threat. Given the developments, we have added detection, removal and disinfection in the BitDefender antimalware solutions, so our customers have been protected against this e-threat since its discovery.

Computer users who are not protected by a BitDefender security solution can download our free removal tool for either 32-bit or 64-bit flavors of Windows.

Download the 32-bit version of the tool

Download the 64-bit version of the tool

“All names and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.”

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.