[R00tKit]

https://www.virustotal.com/en/file/fe0d ... /analysis/
some string inside it :)

Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: %s:%d
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: http://%s
Connection: Keep-Alive

fix SSDT :geek:

Possibly KiServiceLimit==%08X
&KiServiceTable==%08X
Dumping 'old' ServiceTable:
an't find KiServiceTable...
can't find KeServiceDescriptorTable
eServiceDescriptorTable ailed to load! LastError=%i
\\.\Dark2118
[RepairSSDT] DriverEntry
c:\winddk\demo\repairssdt\bin\i386\RepairSSDT.pdb

resource string :)
http://www.rising-global.com/ ??

VALUE "CompanyName", "Beijing Rising Information Technology Co., Ltd."
VALUE "FileDescription", "RavCopy Module"
VALUE "FileVersion", "21.0.0.17"
VALUE "InternalName", "Beijing Rising Information Technology Co., Ltd."
VALUE "LegalCopyright", "Copyright(C) 2008-2009 Beijing Rising Information Technology Co., Ltd. All Rights Reserved."
VALUE "OriginalFilename", "ravcopy.exe"
VALUE "ProductName", "Rising AntiVirus 2009"
VALUE "ProductVersion", "21.00"
VALUE "SpecialBuild", "668531044687500"
}

ftp user pass of malware :D

59.175.153.49
xzq
p@ssw0rd

[EP_X0FF]

This is very old skid malware from China.

See
http://ddos.arbornetworks.com/2010/08/y ... ddos-bots/

SSDT restore driver compiled at 27 june 2009 from internet open sources. Original SDT lookups in user mode and then transfers to driver by DeviceIoControl call.

strange NtQuerySystemInformation()!

script-kiddie trash.