TDL3 64 bit Windows Rootkit - Additional Information

Computerworld and Symantec offer additional writeups on this new threat to 64 bit systems, which have highly secure Windows 7 safeguards.  Once the TDL3 dropper agent is installed, there is an immediate reboot of the system.  The rootkit gets installed during a reboot prior to Windows starting by overwriting the MBR area.

TDL3 64 bit Windows Rootkit - Additional Information
http://www.computerworld.com/s/article/9182238/Rootkit_with_Blue_Screen_history_now_targets_64_bit_Windows
http://www.symantec.com/connect/fr/blogs/tidserv-64-bit-goes-hiding
http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99

QUOTE: The new rootkit sidesteps two important anti-rootkit protections Microsoft built into 64-bit Windows: Kernel Mode Code Signing and Kernel Patch Protection, also known as PatchGuard. The pair are designed to make it more difficult for malware to tamper with the operating system's kernel.

"To bypass Kernel Patch Protection and driver signature verification, the rootkit is patching the hard drive's master boot record so that it can intercept Windows' start-up routines, own it and load its driver," Giuliani said. Rootkits that overwrite the hard drive's master boot record (MBR), where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks, are essentially invisible to the operating system and security software.

TDL3 rootkit x64 goes in the wild
http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html