Win32.Ntldrbot (aka Rustock.C) No Longer a Myth, No Longer a Threat. New Dr.Web Scanner Detects and Cures It for Real.

Doctor Web, Ltd. – a Russian developer of Dr.Web security solutions – discovered samples of Win32.Ntldrbot (aka Rustock.C) and now cures systems infected by this rookti. Currently no other anti-virus can detect this malicious program.

Moscow, Russia, May 08, 2008 --( These days the world marked the 30th anniversary of spam which has already become a worldwide issue. Experts assess up to 90 per cent of our e-mail to be completely irrelevant and irritating. Win32.Ntldrbot is one of the reasons behind the booming activity of spammers.

The main task of Win32.Ntldrbot is infecting PCs, turning them into spamming bots in botnets. According to Secure Works, the botnet built by Rustock is the third largest and distributes around 30 billion spam messages daily.

Besides, the rootkit remained completely undetected. Supposedly, it has been doing so since October 2007: neither anti-virus companies, nor virus makers were able to obtain a sample of Rustock.C. Meanwhile, the rootkit turned out to be real.

Eighteen months passed before Win32.Ntldrbot has been found by analysts of Doctor Web, Ltd. at the beginning of 2008. Dr.Web virus monitoring service found about 600 samples of the rootkit but nobody knows how many are remaining. It took several weeks to unpack and analyze the rootkit and to improve the detection technology.

All this time the rootkit was in the wild compromising PCs and turning them into bots. Assuming that the malware has been running free and completely invisible since October 2007, one could assess the resulting amount of infected traffic. Today no one can guarantee that your machine, too, is not infected. Probably it has become a bot and is sending out spam right now.

At present, no other anti-virus program, except for Dr.Web anti-virus can detect Rustock.C. Those who are not Dr.Web customers can download free Dr.Web CureIt! utility and scan the computer, to be on the safe side.

Once virus writers manage to obtain a sample of the rootkit, the flourishing of similar technologies and their implantation into viral programs will become a matter of time.
The attachment to the article contains more technical details about the rootkit.

Lucia Gourtovaya
International Sales Director
Doctor Web, Ltd.
Mail to:

Doctor Web, Ltd
Julia Arkhitectorova
+7 (495) 789-45-87