Rootkit TDL 3

My mistake, RkU3.8.388.590 SR2 does detect the infected driver...

Papa Legba, really no offence, but but please read a little bit more and then come again to write something that makes sense. Anyone has idea how to detect the infected driver with the latest version where RKU 3.8 doesn't show it?

tdl 3 is really a quite simple malware. First of course the user rans in hi's computer the tdl3 dropper executable, then which then injects the spooler and the tdl3 dll file will then be unpacked to create the tdl.sys file and the cmdhooker now the systems miniport driver will be infected by hooking method... quite simple actually. Since the malware deletes it's own traces after it have been written to the computers file system of course it's hard to detect by antiviruses because they dont find the indications of the infection thats why the answer for detecting this malware is for the antiviruses to create a computer boot time scanner that regognizes the tdl3 code in the lower disk driver.

Most antivirus scanners had a boot time scanner allready back in the 90's so why not now? One solution to this problem could be that microsoft updates the miniport driver and make it protected.

tdl3 is propably so old rootkit at the moment that it is detected by allmost every antivirus and the different versions of this rootkit such as, batch, vbs, html and js have made it's heuristic and deeper detection much easier to the antivirus industry so i think that it's not a problem anymore. The biggest problem are propably the rootkits that comes with antivirus programs.

For the record, there is another thread at another forum that is all about TDL3, with lots of useful information.  Check out: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19

Thanks,
--AD