Windows system file patching by ecard rootkit
As we know, the (in)famous ecard worm drops a rootkit which hides the presence of its files. This rootkit comprises of two files
spooldr.sys. The dropper -
ecard.exe- patches genuine system files to load its driver.
One of the variant of ecard worm patches
tcpip.sysfile and adds code to load
tcpip.sysis loaded. Here's a screenshot, which shows
Here's a screenshot showing hexview of patched
tcpip.sys. It can be observed that there is a reference to rootkit driver
Instead of using traditional approach to load driver (i.e. registering
spooldr.sysas a driver and have Windows to load it during startup), this rootkit makes use of Windows system files to load itself! However, this patched driver can be detected by sigverif tool, and moreover most of the AVs detect patched drivers as a malicious file.