Win32.Ntldrbot A.K.A. Rustock.C

Full article here:http://info.drweb.com/

The virus monitoring service of Doctor Web, Ltd. found about 600 samples of the rootkit. Nobody knows how many are remaining. It took several weeks to unpack and analyze the rootkit and to improve the detection technology.

Some features of Win32.Ntldrbot

Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult.
Implemented as a driver, it runs on the lowest kernel level.
Protects itself, prevents runtime changes.
Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.
Intercepts system functions using non-standard method.
Functions as a file-virus and infects system drivers.
A particular sample of the rootkit becomes adjusts to the hardware of an infected machine and most likely won’t run on another computer.
Utilizes time-triggered reinfection feature. An old infected file is cured. So the rootkit "wonders" through system drivers infecting only one at a time.
Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.
Features anti-rootkit protection.
Injects its library to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism.

Full article here:http://info.drweb.com/