   AVZ  4.29
   10.02.2008 0:12:21
 :  - 149090,  - 2,   - 55,   09.02.2008 22:28
  : 370
  : 9
    : 68697
  :   
 : 
 Windows: 5.1.2600, Service Pack 2 ; AVZ    
 : 
1.  RootKit  ,   API
1.1   API,   UserMode
  kernel32.dll,      .text
  ntdll.dll,      .text
  user32.dll,      .text
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=082B80)
  ntoskrnl.exe      804D7000
   SDT = 80559B80
   KiST = 804E2D20 (284)
 NtConnectPort (1F)  (80598C34->F3C7C0D2),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtCreateFile (25)  (8057164C->F3C7E302),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtCreatePort (2E)  (80592699->F3C7C02C),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtCreateSection (32)  (80564B1B->F3C7CAAE),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtCreateThread (35)  (8057F262->F3C7BD12),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtDeleteFile (3E)  (805D8CF7->F3C7DCB0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtDeleteKey (3F)  (8059D6BD->F3C7CEC0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtDeleteValueKey (41)  (80597430->F3C7CDDA),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtOpenProcess (7A)  (8057459E->F3C7CB94),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtOpenSection (7D)  (805766CC->F3C7C9E0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtOpenThread (80)  (80597C0A->F3C7CCB0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtSetContextThread (D5)  (8062C85B->F3C7BBB4),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtSetInformationFile (E0)  (80579E7E->F3C7DDE0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtSetValueKey (F7)  (80575527->F3C7C26A),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtShutdownSystem (F9)  (80645BD3->F3C7CFA0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtTerminateProcess (101)  (8058AE1E->F3C7BF66),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtWriteFile (112)  (8057A125->F3C7E14A),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 NtWriteFileGather (113)  (805DB3DE->F3C7DFB4),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
>>>  c  !
>>>   
 : 284, : 18, : 18
1.3  IDT  SYSENTER
    1
  IDT  SYSENTER 
1.4     
      
2.  
   : 35
   : 255
  
3.  
4.  Winsock Layered Service Provider (SPI/LSP)
  LSP .   
5.    // (Keylogger,  DLL)
6.    TCP/UDP,   
   
7. c  
 
8.   
>> :     TermService ( )
>> :     Schedule ( )
> :   -           (,     ...)!
>> :     CDROM
>> :       (C$, D$ ...)
>> :      
 
9.     
 >>    REG 
 
 : 83029,   : 63838,    0,  - 0
   10.02.2008 0:20:41
!!!  !!!  18  KiST    
      ,     
  00:08:20
            ,
      - http://virusinfo.info
     
      
  
  
