Backdoor.Rustock is a Trojan horse with back door capabilities that allows a remote attacker to gain access and take control of the victims system, and uses rootkit techniques to hide its presence on the compromised computer.

Files:
%System%\drivers\I386P.SYS
%System%\MSCTL32.DLL

Registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll\"Asynchronous" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll\"DllName" = "[NAME_OF_TROJAN_DLL].DLL"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll\"Impersonate" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll\"Startup" = "Startup"

Hidden device service:
Display Name: i386p
Image Path: %System%\drivers\I386P.SYS

HOSTS:
http://ftp.skystockfinance.cc
http://https.enjoyfit2006.biz
http://www2.firemonk2006.com

SMTP HOSTS:
mxs.mail.ru
smtp.yandex.ru
maila.microsoft.com

SYSTEMS AFFECTED:
XP and lower