Some of the pages I've browsed before:
http://www.f-secure.com/v-descs/rootkit.shtml
"Rootkit (generic description)
Rootkit is usually a standalone sofware component that attempts to
hide processes, files, registry data and network connections. Rootkits
are typically not malicious by themselves but are used for malicious
purposes by viruses, worms, backdoors and spyware. A virus combined
with a rootkit produces what was known as full stealth viruses in the
MS-DOS environment."
"Windows 95, 98, ME
If Windows 9x operating system is used, it is recommended to restart a
computer from a bootable system diskette and to delete an infected
file from command prompt. For example if a malicious file named
ABC.EXE is located in Windows folder, it is usually enough to type the
following command at command prompt:
DEL C:\WINDOWS\ABC.EXE
and to press Enter. After that an infected file will be gone."
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1068924,00.html
"One new tool that helps you fight root kits is RootkitRevealer from
Sysinternals, a Web site that provides utilities and source code
related to Windows NT/2000/XP/2K3 and Windows 9x, Windows Me
internals.
Every exploit has to start off by being a file somewhere. Since root
kits go to great lengths to conceal their presence from the system as
a file, RootkitRevealer uses this very tactic against them. It works
by taking two manifests of the contents of the system -- one via the
standard file system or Registry APIs, and another by reading the raw
contents of the file system or the Registry (depending on how the root
kit hides) and comparing the two. Wherever there are differences
between the two, that's usually a telltale sign that a root kit is at
work."
Pretty technical:
http://www.securiteam.com/securityreviews/5FP0E0AGAC.html
My view:
First line defense: A user has to be tricked into executing the code,
or exploited somehow. The mhtml exploit could easily be used for
anyone who is not patched. Do the critical updates and use caution!
Second line defense: Reinstall the boot partition regularily. Save
data and files, etc. to a dedicated data partition. Every so often it
will be necessary to create a new boot partition image with new
critical updates and other program updates. Start from scratch with a
fresh image re-install, patch, update, create a new image file.
As bad as these things are, it's more of a pest problem if steps are
taken to refresh the boot partition and nominally good judgement is
used in deciding what gets executed.
