Dear forum members,
Polonus found the following text.
"Most rootkits will be in the Non Plug and Play devices and COM3 or the IPX/SPX protocol are two I have found more than once.
What that device driver does is to mask a string by intercepting all API calls to the O/S, thereby hiding the process, registry entries, and files containing that string. The string itself is configured by the author so, for example, if the string is BIG_BAD_FELLOW, any entry containing that string will be hidden.
Clobber the rootkit device driver and BIG_BAD_FELLOW will magically appear.
What is needed now is a central resource for verifying
the devices used and that, as far as I have been able to discover, is not existing.
Will some service step up to the plate and provide one?
One newer variant installs itself as a font rather than a device, because the rootkit had left an installation log".
Comment to above text please,
polonus
