I have tested this malware:
http://news.softpedia.com/news/New-Chinese-Worm-Bypasses-System-Rollback-Software-113677.shtml
http://blog.bkis.com/?p=707

and it's able to bypass both Returnil 2008 and Returnil 2010 (latest beta).

After reboot, the malware is still present in the system partition (c:\safesys.exe is hidden).
This malware steals password, infect pendrive, disables security software, infec system process (spoolsv.exe, etc) and hides his process.

It uses SSDT hooking technique, and manages Ftdisk to access at low level.

I will send this sample to Returnil support tech.

PS
This malware bypass also ShadowDefender.

http://www.pctunerup.com/up/image.php?src=_200907/20090717110122_v1.jpg

http://www.pctunerup.com/up/image.php?src=_200907/20090717110144_v2.jpg

http://www.pctunerup.com/up/image.php?src=_200907/20090717110157_v3.jpg

http://www.pctunerup.com/up//results/_200907/20090717110512_v5a.png

Thanks. Good work. Any snapshots if possible pls.

Hi developers,
We have the sample and its been sent to the team for investigation.

Mike

Good work.Thanks.Will this worm send a e-mail to transmit the password that it steals?

Thanks for the snapshots.

My understanding is that you would have to run as Admin to catch this thing. If you run as limited user then the worm can't load the necessary device drivers etc. for direct disk access.

edit:
PS: How do you know that the sample you tested writes directly to the disk drive? This sounds pretty far fetched to me. And almost all of the online reports I have read are pretty much just quoting one another rather than presenting actual evidence. Does this thing really exist or is it just a hoax?

Did you have Returnil's option to wipe after reboot enabled?

It will not matter.

Delete or erase the virtual partition and make a new one.