More re: Integration & Tatoos
That's an impressive list of "integration points", although I would call them "integration methods". Somewhere among my papers and files I have a list of registry keys which can be used to launch a program. However, IIRC, they are launched by explorer.exe after services.exe has loaded everything that runs as a service (such as the AV and firewall), but I could be wrong about that.
HiJack This! and Sysinternals Autoruns show everything that they can find, and from several files such as autoexec.nt and config.nt (which are stored in c:\windows\system32). Of course, if the rootkit's kernel-mode driver is correctly designed and coded without errors, then it will filter its own files out of the datastreams between the kernel and those programs.
Someday I must read the documentation for rundll32.exe to see how it is launched. IMHO, it and svchost.exe are two of the biggest security risks in the Windows OS. Anti-malware developers have found malware that is launched by one and malware that is hosted by the other.
Given the observed propensity of the undetectable rootkit to alter executables, I always thought that was the most likely means that it used to have the installer launched during the system boot, and it would install the kernel-mode driver. But I never could obtain enough information to effectively investigate that possibility.
As to the external USB Maxtor HDD that I now have, Windows XP displays an icon in the System Tray when it detects that the HDD is attached. I can use the icon to "disconnect the hardware safely", but most of the time "generic volume F:\" cannot be removed until I run the unlocker.exe utility to remove the explorer.exe and other outdated executable locks on the drive per se. So Windows XP does recognize the drive as removable, but it would create a RECYCLER directory on it if I wanted to keep files that were deleted from the drive in my desktop Recycle Bin. While the drive is disconnected, the files that have been deleted from it are not displayed in that Recycle Bin, of course.
Last, but not least, according to Windows Explorer Search there are 139 desktop.ini files currently stored on the primary internal HDD, and it looks to me as though almost all of them have hidden and/or system attributes. Not that I think that the undetectable rootkit has returned, but if any malware is using a hidden desktop, how would I distinguish it from amongst the crowd??
