Нет ответов в данной теме

[News Robot]

May 12, 2008


As usual the virus monitoring service of Doctor Web, Ltd. Kept a watchful eye over viral activities in April.


No doubt the discovery of a new modification of the malware classified by the Dr.Web as BackDoor.MaosBoot became the most notable event of the end of March and in the early April. The program belongs to the new class of viruses that combine features of an MBR virus and a rootkit. BackDoor.MaosBoot mainly targets computers of end users to obtain sensitive financial info. The virus has a long list of bank-client applications. The improved version of the malware easily obtains sensitive information using the list.


In the mid-April the virus monitoring service also detected a surged mailing of an almost forgotten Win32.HLLM.Limar downloader. Though the surge didn't turn into an epidemic, however, the implication was that spreading of the malware on a higher scale should not be ruled out.


Meanwhile, an event of the month is most certainly dispelling the myth that malware known as Rustock.C didn't exist. The virus monitoring service of Doctor Web, Ltd. actually nailed the long elusive rootkit that entered the Dr.Web database as Win32.Ntldrbot. The malicious code is used to turn PCs into spamming bots joined into a vast botnet. Moreover the catching virus was also capable of remaining completely undetected and so it did supposedly since October 2007! According to

Some features of Win32.Ntldrbot
Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult. Implemented as a driver, it runs on the lowest kernel level. Protects itself, prevents runtime changes. Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugge...

http://info.drweb.com/show/3351?lng=en