Very very nice catch was done by Dr.Web’s analyst team
and now they successfully detects Win32.Ntldrbot(aka Rustock.C)
full news on Dr.Web’s website http://info.drweb.com/show/3342/en
.... Some anti-virus labs didn’t give up seeking the virus. Finally the intensive search gave results. Eighteen months passed before Win32.Ntldrbot has been found by analysts of Doctor Web, Ltd. at the beginning of 2008. All this time the rootkit was in the wild compromising PCs and turning them into bots. Assuming that the malware has been running free and completely invisible since October 2007 one could asses the resulting amount of infected traffic.…
Some features of Win32.Ntldrbot
Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult.
Implemented as a driver, it runs on the lowest kernel level.
Protects itself, prevents runtime changes.
Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.
Intercepts system functions using non-standard method.
Functions as a file-virus and infects system drivers.
A particular sample of the rootkit becomes adjusts to the hardware of an infected machine and most likely won’t run on another computer.
Utilizes time-triggered reinfection feature. An old infected file is cured. So the rootkit “wonders” through system drivers infecting only one at a time.
Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.
Features anti-rootkit protection.
Injects its library to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism
…
that’s nasty badware 8)
p.s. Avast! detect it yet ???