   AVZ  4.29
   10.02.2008 0:30:00
 :  - 149090,  - 2,   - 55,   09.02.2008 22:28
  : 370
  : 9
    : 68697
  :   
 : 
 Windows: 5.1.2600, Service Pack 2 ; AVZ    
 : 
1.  RootKit  ,   API
1.1   API,   UserMode
  kernel32.dll,      .text
  ntdll.dll,      .text
  user32.dll,      .text
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=082B80)
  ntoskrnl.exe      804D7000
   SDT = 80559B80
   KiST = 804E2D20 (284)
 NtConnectPort (1F)  (80598C34->F3C7C0D2),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtCreateFile (25)  (8057164C->F3C7E302),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtCreatePort (2E)  (80592699->F3C7C02C),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtCreateSection (32)  (80564B1B->F3C7CAAE),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtCreateThread (35)  (8057F262->F3C7BD12),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtDeleteFile (3E)  (805D8CF7->F3C7DCB0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtDeleteKey (3F)  (8059D6BD->F3C7CEC0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtDeleteValueKey (41)  (80597430->F3C7CDDA),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtOpenProcess (7A)  (8057459E->F3C7CB94),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtOpenSection (7D)  (805766CC->F3C7C9E0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtOpenThread (80)  (80597C0A->F3C7CCB0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtSetContextThread (D5)  (8062C85B->F3C7BBB4),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtSetInformationFile (E0)  (80579E7E->F3C7DDE0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtSetValueKey (F7)  (80575527->F3C7C26A),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtShutdownSystem (F9)  (80645BD3->F3C7CFA0),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtTerminateProcess (101)  (8058AE1E->F3C7BF66),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtWriteFile (112)  (8057A125->F3C7E14A),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 NtWriteFileGather (113)  (805DB3DE->F3C7DFB4),  C:\WINDOWS\System32\DRIVERS\cmdmon.sys,    
 : 284, : 18, : 0
1.3  IDT  SYSENTER
    1
  IDT  SYSENTER 
1.4     
      
2.  
   : 34
 -   1780 C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
[ES]:    
 -   1912 C:\WINDOWS\system32\UStorSrv.exe
[ES]:   
[ES]:    
[ES]:   
 -   324 C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
[ES]:    
[ES]:   !!
   : 252
  
3.  
4.  Winsock Layered Service Provider (SPI/LSP)
  LSP .   
5.    // (Keylogger,  DLL)
6.    TCP/UDP,   
   
7. c  
 
8.   
>> :     TermService ( )
>> :     Schedule ( )
> :   -           (,     ...)!
>> :     CDROM
>> :       (C$, D$ ...)
>> :      
 
9.     
 >>    REG 
 
 : 286,   : 0,    0,  - 0
   10.02.2008 0:30:21
  00:00:22
            ,
      - http://virusinfo.info
  
  
