As soon as TDL3 kernel mode rootkit is active, the dropper drops 3 files into systems: tdlcmd.dll, "tdlswp.dll" and config.ini. onto its own storage. In details, TDL3 organizes itself a special storage mode rather than using traditional filesystem:

In order to access its files inside its own EFS, TDL3 constructs a random path such as "\Device\Ide\IdePort1\enticxfj.........". to redirect requests into its own filesystem stack.

TDL3 performs the installation: the real rootkit’s codes and overwritten "atapi.sys"’s data are placed into a buffer at 0×817e1000

 

That is also why if a security program removes "tdlswp.dll" that user can get a error dialog box  to do with  "\Device\Ide\IdePort1\enticxfj.........". not found 

 

Yeah we have already had like 4 on this forum of various differences

 

 

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=80699&query.id=808... (I fixed somewhere else, interesting cos it was Vista) 

 

And in some degree

 

 

 

Quads