Gurong.A - New MyDoom variant using Rootkit techniques - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Gurong.A - New MyDoom variant using Rootkit techniques

The latest version of the MyDoom virus may now be using rootkit techniques to stay hidden better from AV software. Developments should be carefully watched.

Gurong.A - New MyDoom variant using Rootkit techniques
http://www.f-secure.com/v-descs/gurong_a.shtml
http://www.f-secure.com/weblog/archives/archive-032006.html#00000838

QUOTE: Yesterday we received an interesting email-worm sample, detected as Gurong.a, that uses rootkit techniques to hide its file, process and launch point in the registry. It is based on the infamous Mydoom code and it is in the wild but currently spreading very slowly.

Gurong.a modifies the operating system kernel, specifically the system service table and process object structures, so it is a kernel-mode rootkit. What makes it different from other kernel-mode rootkits we have seen is the way it installs the rootkit payload into kernel. Often malware uses a special purpose driver or the physical memory device to modify the kernel from user mode.

F-Secure's Blacklight Tool helps find Rootkits
http://www.f-secure.com/blacklight/

Posted: Mar 23 2006, 11:21 AM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.