Happy-2008 seems to be a new kind of virus, created in occasion of new year. Its spreaded in form of Executable, not packed or PE Tricked. It can be downloaded from an E-Card WebSite. At the actual state seems that AVs does not detects it, only someone show it as Suspect-Zipped-File. .:: The Essay :.. Gets the Current System Directory and next sets up as working directory /system32. Next with GetFullPathNameA retrives "C:\WINDOWS\System32\init_sys.config" If file exists tries to determine its attributes, else creates a file 0040126A PUSH EBX ; /hTemplateFile => NULL 0040126B PUSH 80 ; |Attributes = NORMAL 00401270 PUSH 2 ; |Mode = CREATE_ALWAYS 00401272 PUSH EBX ; |pSecurity => NULL 00401273 PUSH 7 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE|4 00401275 PUSH 40000000 ; |Access = GENERIC_WRITE 0040127A LEA EAX,DWORD PTR SS:[EBP-114] ; | 00401280 PUSH EAX ; |FileName = "C:\WINDOWS\System32\init_sys.config" 00401281 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA 00401293 PUSH ESI ;Points to an Embedded Executable 00401294 PUSH EDI 00401295 MOV EDI,DWORD PTR DS:[<&KERNEL32.WriteFi>; kernel32.WriteFile 0040129B PUSH 0 0040129D LEA EAX,DWORD PTR SS:[EBP-C] ;System Path 004012A0 PUSH EAX 004012A1 LEA ESI,DWORD PTR DS:[EBX+422A98] ; [config] String 004012A7 PUSH DWORD PTR DS:[ESI] A file "init_sys.config" is created and filled with three entries: [config] [local] [peers] Successively, a series of values are attached into this config file, immediately after [peers] and have this form: 00003D6C8F338A3FDD3DF3648666F55C=0CCFC042170F00 0040132D CALL happy-20.0040122D ;Builds init_sys.config and fill it 00401332 LEA ECX,DWORD PTR SS:[EBP-8] 00401335 CALL happy-20.004016E8 ... 00401351 CALL happy-20.00401634 ;EAX = String obtained from GetSystemTime Output ... After some calls, EAX points to a new string "init_1a30-12f1" 00401391 PUSH EAX ; /pFilenameInPath 00401392 PUSH DWORD PTR SS:[EBP-8] ; |Path 00401395 PUSH EBX ; |MaxPathSize 00401396 PUSH DWORD PTR SS:[EBP-4] ; |FileName 00401399 CALL DWORD PTR DS:[<&KERNEL32.GetFullPat>; \GetFullPathNameA 0040139F PUSH happy-20.004020D4 ; ASCII ".sys" 004013A4 LEA ECX,DWORD PTR SS:[EBP-8] 004013A7 CALL happy-20.00401108 Inside the call 00401108 a new string is assembled "init_1a30-12f1.sys" please note that the numerical part of the Sys file, changes at every run because it depends from GetSystemTime output. 004013B1 PUSH ESI ;NULL 004013B2 PUSH ESI ;NULL 004013B3 CALL OpenSCManagerA 004013B9 CMP EAX,ESI 004013BB MOV DWORD PTR SS:[EBP-C],EAX 004013BE JE happy-20.004014D9 After opening Service Manager for LocalHost, Service Status is enumerated and: 00401407 PUSH DWORD PTR SS:[EBP-18] ; /Arg3 0040140A PUSH EDI ; |Arg2 0040140B PUSH DWORD PTR DS:[EBX] ; |Arg1 = 0012FE62 ASCII "Abiosdsk" 0040140D CALL happy-20.00401579 ; \happy-20.00401579 This Call compares the Services Name presents in the sistem, with 'init_' abp480n5,ACPI,adpu16, etc.. After this check an GetLastError is called: 0040142E JNZ SHORT happy-20.0040143D 00401430 CALL GetLastError 00401436 CMP EAX,0EA 0040143B JE SHORT happy-20.004013D1 If the Service exists and is running, the task of happy_2008 ends here. Else, a copy of a Device Driver is extracted from the executable and runned as Kernel's Service. I've extracted that device driver with an HexEditor, it starts at 00403018 and ends at 00424FF8. This rootkit hides itself, but in the next part we will discover what that what it does :)