The rootkit-beep installs a
notify routine for detecting the opening of
Medichi waits for notification of "winlogon.exe" process being loaded.
This is required for 2 reasons:
1) Hiding the changeof the registry startup keys under winlogon.exe.
2) Making sure that the "Software" registry hive is already loaded.
We can see on the disassemled listing of the Medichi driver here, that rootkit installs "medichi.exe" and "medichi2.exe" to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
The executable files are used to notify users about spyware attack and to download new versions.
The Microsoft Signature Verifier
tool (sigverif.exe) can easily check for the files signed by
Microsoft digital sign.
Beep.sys was detected as well. It isn′t encrypted and the signal words "medichi", "murka.dat" can be easily read.
We know that Medichi
rootkit was written by Russian speaking virus writers.
Murka is a one of the favorite cat names in Russian.
The text "bljaha muaha zainalo vse!" is actually swear words.