Hi Julian, I am not intimately familiar with Rustock, but it seems that the Rustock.C variant still lives on disk but it hooks itself into ntfs.sys's IRP handlers which allows it to "lie" to any calls to functions inside that driver. So when a program (from operating system components or userland) says "give me file X", Rustock.C will return the clean copy of the file instead of the infected one. From what I see, Rustock.C is available in both memory and on disk, it just takes knowing what you are looking for in order to find it. Like most commodity malware, there have been a number of controlled infections by researchers to lead to the observation of the behavior. - jbc22 On Tue, Jan 8, 2013 at 1:50 PM, Julian Brown <julian(a)jlbprof.com> wrote: