Mailbot.AZ - manipulates NTFS ADS and includes kernel mode root kit

This new threat uses advanced techniques to hide it's presence on an infected system.

Mailbot.AZ - manipulates NTFS ADS and includes kernel mode root kit
http://www.f-secure.com/weblog/archives/archive-062006.html#00000907

QUOTE:  Many of our readers have probably heard of Alternate Data Streams (ADS) on NTFS. They're not that well documented and there are only a few tools that can actually handle them. Lately we've been looking at variants of the Mailbot family that use hidden streams to hide themselves.

Let's take Mailbot.AZ (aka Rustock.A) as an example. There's only a single component lying on the disk, and that is a kernel-mode driver. It's stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one.

We've just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.

Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of  a process named "services.exe". The payload is a Spamtool with backdoor capabilities