.:: Happy_2008 Reversing #2::. In the last days Happy2008 have had a great diffusion, and actually is detected by the major part of AVs with the name of Win32.Zhelatin. First traces can be seen into Registers (as for every Service) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\init_xxxx-xxx] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\init_xxxx-xxx] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\init_xxxx-xxx] DisplayName is the effective name of the Service, the phisical Driver Executable is hidden in \??\C:\WINDOWS\System32\init_1056-4270.sys so the .sys fie is phisically invisible.. Now we will go to disassemble the Rootkit, the copy of SYS file that I've exctracted is not packed, but a friend of mine, ZaiRoN, signaled me that exists also packed versions of the driver. In a first time is checked the NtBuildNumber, that if different from 3790 jumps out, the device is created with the name "\\Device\\DRV_MODULE_DRV" and SymbolicLinkName "\\DosDevices\\DRV_MODULE_DRV" and next by using PsCreateSystemThread is created a MultiThread structure. The most rapid way to localize the MultiThread routines is to watch the StartRoutine parameter that represents the entry point for a driver thread. StartRoutine: 00010526 StartRoutine: 00010EF2 [First Thread] 00010526 00010532 push offset SourceString ; "\\BaseNamedObjects\\unrjeuurut" 00010537 lea eax, [ebp+EventName] 0001053A push eax ; DestinationString 0001053B mov dword ptr [ebp+Timeout], 0FD050F80h 00010542 call ds:RtlInitUnicodeString 00010548 lea eax, [ebp+Handle] 0001054B push eax ; EventHandle 0001054C lea eax, [ebp+EventName] 0001054F push eax ; EventName 00010550 call ds:IoCreateNotificationEvent Creates a notification event called \\BaseNamedObjects\\unrjeuurut 00010566 call sub_106B0 0001056B call sub_10BB4 00010570 call sub_108BC Inside call sub_106B0, Memory Write Protection is toggled by using push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax and in the following calls System Service Dispatch Table (SSDT) is hooked, and various routines are attached as SSDT Entries. The most intersting procedure is accomplished in sub_10C08(wchar_t *,int), placed at 00010C08, where is retrieved by using PsLookupThreadByThreadId thread ID relative to "Services.exe"