The new Uroburos (aka Turla) rootkit includes a lot of clever features. The dropper is compressed with a simple packer that uses integer math, such a bit shifting, unsigned multiplication, to perform data decryption. After the rootkit driver is loaded, a function in an user-mode module of the dropper called format_ntfs_Win32 is used to format its virtual volume. The entire code responsible for formatting the virtual volume is written in user mode. This ensures the piece of malware survives a system reboot.”]
Source: https://blog.talosintelligence.com/2014/04/snake-campaign-few-words-about-uroburos.html