The most thorough analysis of this bit of malware can be found in this PDF document. It's interesting the capabilities this thing packs:
- User-mode rootkit
- Hiding code in EFS files as well as NTFS ADSs
- Hiding in the AppInit_DLLs Registry key
- Removal of the SeDebugPrivilege setting from user accounts to prevent rootkit detection tools from executing properly
- Creates a new/fake user account
- Creates a Windows service
- The PDF document even mentions the use of a checksum scanner to prevent other anti-rootkit tools from running
From a post-mortem perspective, finding the ADSs and Registry contents (AppInit_DLLs key, BHO entry, ControlSet00x\Services) as well as the added user account would all be useful artifacts, as well provide multiple points for identifying a timeline for the infection.
This brings us to the philosophical discussion of "to wipe or not to wipe, that is the question; whether tis nobler in the mind to suffer the slings and arrows of being repeatedly p0wned, or to take up arms against a sea of vulnerabilities and by patching end them". While I do agree that the only way to be sure that you're free of an infection is to wipe the drive and reinstall the OS and data from clean, uninfected media, I also firmly believe that doing so blindly is simply the wrong way to go. Too many times, a rootkit will be the assumed culprit, and the system will be taken offline, wiped, reinstalled and up back into service...and a root cause investigation will never be done. Putting the box back into service is likely to get it p0wned all over again. Remember, folks, not every compromise is due to the successful exploit of a vulnerability...0 day or otherwise. There are plenty of other ways to get in...weak or no passwords (Administrator, sa, etc.), SQL injection, etc. That's the whole point of incident response...to find out what happened, so you can protect against it happening again.
Gromozon Removal Tools:
- BlackLight (also, info on the Poker Rootkit)
- ProDiscover IR (agent allows you to detect "hidden" processes/files)
- Resplendence Rootkit Hook Analyzer