[Dshield] Rootkits All Around: Universal Music Has It ,Too

Tim Hollebeek tholleb at teknowledge.com
Wed Nov 2 20:58:07 GMT 2005


> No reports *yet*.  The mere fact that it's a free cloaking 
> device for any file with a name that starts with '$sys$' is 
> going to attract the malware writers - and there's bound to 
> be other goodies yet to be revealed.

Filenames aren't the only attractive part.  Imagine the effects
of the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\$sys$startu
p

And the fact that anti-spyware tools won't be able to see that key.

-Tim




More information about the list mailing list