Hi Umath,

Tell the whole story, and not part of it. Yes, rootkit are malicious applications which help an attacker to disguise trojans & other kind of malware. The nasty bit is “it is a cloak of invisibility”. After the activation stage any files designated by the attacker will vanish, this applies to the rootkit itself and additionaly installed files (backdoors). Now comes the intersting part: an AV/AT scanner will be unable to detect the invisible files from this compromised machine. It can hide registry entries, autostart entries, some even cloak open ports. See the full story here: http://home.arcor.de/scheinsicherheit/rootkits.htm.
To explain more about the level where this takes place: API Hooking. See a tool like api spy. I like to hear Waldo’s comment what he sees as a defence to these rootkits. I think the AV scanner must trap the malicious applications before activation.
How are these malicious applications put onto a system?

Greetings,

polonus