Aside from the MBR rootkit, TrendLabs researchers have come across another rootkit that hides ports.
We’ve discovered a rootkit file that is able to hook TCPIP.SYS and related functions inside.
It is able to hide the following ports:
DestinationPort>3000 OR (DestinationPort<1000 AND DestinationPort!=80 AND DestinationPort!=25)
These are being used in the infect machine. The said malware, TROJ_ROOTKIT.DU, was indirectly included in the TROJ_PUSHDO.AD, TROJ_PUSHDO.AR (eCard), and WORM_NUWAR.EN (spam mail) package. Upon executing the aforementioned package, the malware downloads the said TROJ_ROOTKIT.DU as a rootkit component to add stealth to the said malware families.
Here are screenshots: