Naturally, as a malware geek, Hayashi doesn't call it "nasty" -- he says "really interesting":
Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.The implication being that, if a future version of Srizbi fixes the problems that currently make it visible, detection gets a lot harder. Needless to say, that may well cause more spam to get sent before an infection could be detected and remediated.
Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam ... The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode.
We think this sample is still in a “beta” stage and it’s not finished yet.
I especially liked this bit:
[It] seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.Classy.