For Home

Virus Profile: ZeroAccess.b!env

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/10/2012
Date Added: 10/10/2012
Origin: Unknown
Length: 0
Type: Trojan
Subtype: Win32
DAT Required: N/A
Removal Instructions
   
 
 
   

Description

"ZeroAccess.b!env" is a family of Rootkits, capable of infecting the Windows Operating System. There has been a major shift over the last few months in the way it infects the machine. Previously Zero access infected the Kernel  by rewriting system files with its kernel mode component, in order to run at elevated privilege when the system boots, but this version has no kernel mode component and operates entirely in user space.
"ZeroAccess.b!env" is usually installed on a system by a malicious executable which will perform the actions described in this document.

Aliases

  •  Microsoft     -    Trojan:Win32/Sirefef.BC 
  •  NOD32       -     Win32/Sirefef.EV 
  •  Norman     -     W32/Suspicious_Gen4.BXIAO (trojan) 
  •  Fortinet      -     W32/Sirefef.EV

Indication of Infection

  • ZeroAccess is usually installed by a dropper component that may come to the machine from different sources. Recent variants have been observed to come together with Fake Antivirus software.
  • Presence of above mentioned files and registry activities.
  • Presence of above mentioned network connections.

Methods of Infection

ZeroAccess is usually installed by a dropper component that may come to the machine from different sources. Recent variants have been observed to come together with Fake Antivirus software.
   

Virus Characteristics

This malware usually DLL executable file dropped by other malicious executable.

It get dropped from other malicious file as the following files:

  •  %SYSTEMDRIVE%\RECYCLER\S-1-5-21-1708537768-606747145-725345543-500\$698a2431bf10457d451afdf8d202d9b0\@[detected as ZeroAccess.b!env]
  •  %SYSTEMDRIVE%\RECYCLER\S-1-5-21-1708537768-606747145-725345543-500\$698a2431bf10457d451afdf8d202d9b0\n.[detected as ZeroAccess.b!env]
  •  %SYSTEMDRIVE%\RECYCLER\S-1-5-18\$698a2431bf10457d451afdf8d202d9b0\@[detected as ZeroAccess.b!env]
  •  %SYSTEMDRIVE%\RECYCLER\S-1-5-18\$698a2431bf10457d451afdf8d202d9b0\n. [detected as ZeroAccess.b!env]
  •  %AppData%\Microsoft\Windows\UsrClass.dat.LOG

The dll file ‘n’ is then injected into services.exe and explorer.exe.

It creates the Mutex named ‘SHIMLIB_LOG_MUTEX’ to avoid multiple instance of this malware.

Malware tries to connect to the following IP addresses: 

  •  10.2[removed]55
  •  101.6[removed]50
  •  109.5[removed]47
  •  115.2[removed]54
  •  117.2[removed]54
  •  134.2[removed]54
  •  135.2[removed]54
  •  142.1[removed]5
  •  173.1[removed]47
  •  173.3[removed]3
  •  180.2[removed]54
  •  182.2[removed]54
  •  190.2[removed]54
  •  194.1[removed]3
  •  206.2[removed]54
  •  212.2[removed]54
  •  213.2[removed]54
  •  222.2[removed]54
  •  24.1[removed]50
  •  24.1[removed]51
  •  24.9[removed]51
  •  31.1[removed]80
  •  31.1[removed]20
  •  31.1[removed]01
  •  46.1[removed]9
  •  50.2[removed]0
  •  66.8[removed]34
  •  68.2[removed]46
  •  68.3[removed]0
  •  68.5[removed]1
  •  68.5[removed]48
  •  71.1[removed]1
  •  71.2[removed]5
  •  71.2[removed]54
  •  72.2[removed]53
  •  75.1[removed]50
  •  76.1[removed]46
  •  77.2[removed]50
  •  81.1[removed]8
  •  82.4[removed]5
  •  87.2[removed]54
  •  88.2[removed]54
  •  91.2[removed]47
  •  92.2[removed]54
  •  98.2[removed]47

The following registry keys are created on the system:
 

  • HKEY_USERS\S-1-5-{varies}-500\Software\Classes\clsid
  •  HKEY_USERS\S-1-5-{varies}-500\Software\Classes\clsid\{GUI}
  •  HKEY_USERS\S-1-5-{varies}-500\Software\Classes\clsid\{GUI}\InprocServer32
  •  HKEY_USERS\S-1-5-{varies}-500_Classes\clsid
  •  HKEY_USERS\S-1-5-{varies}-500_Classes\clsid\{GUI}
  •  HKEY_USERS\S-1-5-{varies}-500_Classes\clsid\{GUI}\InprocServer32


The following registry values are added

  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\DeleteFlag: 0x00000001
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\DeleteFlag: 0x00000001
  •  HKEY_USERS\S-1-5-{varies}-500\Software\Classes\clsid\{GUI}\InprocServer32\ThreadingModel: "Both"
  •  HKEY_USERS\S-1-5-{varies}-500\Software\Classes\clsid\{GUI}\InprocServer32\: "%systemdrive%\RECYCLER\S-1-5-{varies}-500\$698a2431bf10457d451afdf8d202d9b0\n."
  •  HKEY_USERS\S-1-5-{varies}-500_Classes\clsid\{GUI}\InprocServer32\ThreadingModel: "Both"
  •  HKEY_USERS\S-1-5-{varies}-500_Classes\clsid\{GUI}\InprocServer32\: "%systemdrive%\RECYCLER\S-1-5-{varies}-500\$698a2431bf10457d451afdf8d202d9b0\n."

The following registry values are modified.

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-7{varies}7F}\InprocServer32\: "%systemdrive%\RECYCLER\S-1-5-18\$698a2431bf10457d451afdf8d202d9b0\n."


The above registry ensures that the malware is loaded instead of ”wbemess.dll” which is a part of core management of windows called WMI.

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000000A
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000006
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\RefCount: 0x00000001
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\ErrorControl: 0x00000000
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start: 0x00000004
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Enum\Count: 0x00000000
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Enum\NextInstance: 0x00000000
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ErrorControl: 0x00000000
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start: 0x00000004
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\Count: 0x00000000
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\NextInstance: 0x00000000

The following registry keys are deleted.

  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\Control
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000\Control
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum

 The following registry values are deleted

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender:” %systemdrive%\Program Files\Windows Defender\MSASCui.exe”

This malware removes the registry keys affiliated with security software installed in the system

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\Control\ActiveService: "SharedAccess"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\Service: "SharedAccess"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\ConfigFlags: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\ClassGUID: "{GUI}"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000\Control\ActiveService: "wscsvc"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000\Service: "wscsvc"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000\ConfigFlags: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000\ClassGUID: "{GUI}"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000\DeviceDesc: "Security Center"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000046
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\ServiceDll: "%SystemRoot%\System32\ipnathlp.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Setup\ServiceUpgrade: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Enum\0: "Root\LEGACY_SHAREDACCESS\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Enum\0: "Root\LEGACY_WSCSVC\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters\ServiceDll: "%SYSTEMROOT%\system32\wscsvc.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ErrorControl: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\DisplayName: "Security Center"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\DependOnService: 'RpcSs winmgmt'
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ObjectName: "LocalSystem"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Description: "Monitors system security settings and configurations."
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control\ActiveService: "SharedAccess"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Service: "SharedAccess"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\ConfigFlags: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\ClassGUID: "{GUI}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control\ActiveService: "wscsvc"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Service: "wscsvc"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\ConfigFlags: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\ClassGUID: "{GUI}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\DeviceDesc: "Security Center"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000046
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ServiceDll: "%SystemRoot%\System32\ipnathlp.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ServiceUpgrade: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\0: "Root\LEGACY_SHAREDACCESS\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum\0: "Root\LEGACY_WSCSVC\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters\ServiceDll: "%SYSTEMROOT%\system32\wscsvc.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\ErrorControl: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\DisplayName: "Security Center"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\DependOnService: 'RpcSs winmgmt'
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\ObjectName: "LocalSystem"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Description: "Monitors system security settings and configurations."

On Windows 7 and Vista it overwrites 704 bytes of the function “ScRegisterTCPEndpoint” present in “services.exe” with malicious code.

The above image ensures that it overwrites the function in services.exe
It stores the malicious content in Extended Attributes of an NTFS record.
 

The above image is the NTFS Extended attributes
When the infected “services.exe” is loaded, the malicious code reads the extended attributes where the actual malicious code resides.
 

 

The above image displays the function which checks for the hash of the EA and then loads it.
 It also strips services.exe of ASLR capability which makes windows load services.exe on the same address every time.
 

The above image shows the Missing ASLR

 

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).