For Consumer

Virus Profile: ZeroAccess.hr

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/23/2012
Date Added: 10/23/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 6898
Removal Instructions
   
 
 
   

Description

“ZeroAccess.hr” is a family of Rootkits, capable of infecting the Windows Operating System. There has been a major shift over the last few months in the way it infects the machine. Previously Zero access infected the Kernel  by rewriting system files with its kernel mode component, in order to run at elevated privilege when the system boots, but this version has no kernel mode component and operates entirely in user space.
“ZeroAccess.hr” is usually installed on a system by a malicious executable. Once this dropper is executed, it will install the rootkit which will perform the actions described in this document.

Aliases

  •  Microsoft     -    Trojan:Win32/Sirefef.P 
  •  Kaspersky  -    Backdoor.Win32.ZAccess.aseq 
  •  Norman      -    W32/Troj_Generic.GIUXO 
  •  F-Secure    -    Trojan.Generic.KDZ.2994

Indication of Infection

----------------------Updated on Jan 25, 2013----------------------------------------

Presence of above mentioned activities.

----------------------Updated on Oct 23, 2012----------------------------------------
  • ZeroAccess is usually installed by a dropper component that may come to the machine from different sources. Recent variants have been observed to come together with Fake Antivirus software.
  • Presence of above mentioned files and registry activities.
  • Presence of above mentioned network connections.

Methods of Infection

----------------------Updated on Jan 25, 2013----------------------------------------

ZeroAccess is usually installed by a dropper component that may come to the machine from different sources.
One usual method that machines get infected is by downloading and executing small executable files used to crack applications. These crack tools can be found in many different websites devoted to distributing cracked applications. These sites also are known to distribute malicious files and exploits, and thus accessing unknown websites should be avoided to lower the chance of getting infected.


----------------------Updated on Oct 23, 2012----------------------------------------

ZeroAccess is usually installed by a dropper component that may come to the machine from different sources. Recent variants have been observed to come together with Fake Antivirus software.
   

Virus Characteristics

-----------------------Updated on 19 Mar 2013-----------------------------------------------

Aliases

Kaspersky      -     Backdoor.Win32.ZAccess.bnqz
Microsoft         -     TrojanDropper:Win32/Sirefef.gen!C
NOD32            -     Win32/Sirefef.EV
Fortinet            -     W32/ZAccess.BNQZ!tr.bdr

Characteristics –

ZeroAccess.HR is detection for the rootkit family that uses to hide itself. It is often installed through drive-by-download attacks from malicious web sites. The Trojan helps to download other malicious files. It has the capabilities to perform Denial of Service (DoS) or Distributed DoS (DDoS). It also connects the following port no 16464.

ZeroAccess.HR disables system firewall, proxy and windows security center services.

Upon execution it tries to connect the following IP address:

  • Http://50.[Removed].70/app/geoip.js 
  • Http://50.[Removed].70/app/geoip.js 
  • Http://173.[Removed].122/click?i=6CQGQ5vc7WU_0 
  • Http://208.[Removed].230/search/roller+banner+stands?src=509208fc824ac9c060000006&tsid=4310 
  • Http://208.[Removed].230/search/twilight+engagement+ring?uuid=5146f8fab33852e84e000004 
  • Http://208.[Removed].230/img/spinner.gif?1355468941 
  • Http://208.[Removed].101/a/2?kw=twilight+engagement+ring 
  • Http://74.[Removed].100/sync/img?mt_exid=10017&redir=http%3A%2F%2Fxref.io%2Fb%2F2%2F%5BMM_UUID%5D 
  • Http://74.[Removed].100/sync/img?mt_exid=10017&redir=http%3A%2F%2Fxref.io%2Fb%2F2%2F%5BMM_UUID%5D&mm_bnc 
  • Http://208.[Removed].101/b/2/12c45146-f8fb-4d00-b8da-65fe1dc84c8d 
  • Http://208.[Removed].230/search/twilight+engagement+ring?uuid=5146f8fbb33852604e000009 
  • Http://208.[Removed].230/c:OtfuHsy9_5Gi9qooE3spxq7aeMHvvynm4eJWKpa9hWa9xIF4xR1OP3MY3TrHO9A9z687rSgPuw-mTF6LLbOiu91vjO04Gf3x 
  • Http://208.[Removed].140/_029bcf7818d6b0633884b03e0a831ce85146f8f86ed2e5.5462306401 
  • Http://69.[Removed].34/campaign/landing.php?campaign_id=398450606895063&keyword=engagement+ring&placement=p&creative=1683214657&extra_1=6061029a-8bab-ac89-d2f5-00003a2789f1&partner_id=msnsem&extra_2=matchtype%3Dp 
  • j.m[Removed]d.com
  • 50.[Removed].70
  • 10009.j[Removed]tion.com
  • 199.115.[Removed].198
  • xml.plu[Removed]d.net
  • 173.239. [Removed].122
  • re[Removed]rn.com
  • 208.96. [Removed].230
  • x[Removed]f.io
  • 208.113. [Removed].101
  • sync.m[Removed]tag.com
  • c.vi[Removed]ij.com
  • 208.113. [Removed].140
  • 1167.xg[Removed]n.com
  • fbstatic-a. [Removed]aihd.net
  • fbcdn-dragon-a. [Removed]maihd.net
  • fbexternal-a. [Removed]maihd.net

The following are the folders created in the system

  • %SYSTEMDRIVE%\RECYCLER\S-1-5-18

The following are the Registry key have been added to the system

  • HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}
  • HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}\InprocServer32
  • HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}
  • HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}\InprocServer32

The following registry values have been added to the system.

  • HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Both"
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Classes\CLSID\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-21-[Varies]\$698a2431bf10457d451afdf8d202d9b0\n."
  • HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Both"
  • HKEY_USERS\S-1-5-21-[Varies]_Classes\CLSID\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-21-[Removed]\$698a2431bf10457d451afdf8d202d9b0\n."

The above mentioned registry entries ensures that the rootkit registers with the compromised system and execute itself upon every reboot.

The following are the registry key values modified from the system

  • HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%WINDIR%\system32\wbem\fastprox.dll"
  • HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$8799278523af799c26e02500d72b61fb\n."

The above registry entry confirms that the dropped file registered with the compromised system and gets execute upon system boot.

The following are the Registry keys deleted from the system in order to disables the Windows Firewall and Security center.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-----------------------Updated on 22 Feb 2013-----------------------------------------------

 Aliases

Microsoft - Trojan:Win32/Sirefef.P
Nod32  - Win32/Kryptik.ATZC trojan (variant)
Norman - ZAccess.WLV
Fortinet - W32/ZAccess.BDGJ!tr.bdr
Ikarus  - Trojan.Zeroaccess

ZeroAccess.HR is detection for the rootkit family that uses to hide itself. It is often installed through drive-by-download attacks from malicious web sites. The Trojan helps to download other malicious files. It has the capabilities to perform Denial of Service (DoS) or Distributed DoS (DDoS). It also connects the following port no 16464.

ZeroAccess.HR disables system firewall, proxy and windows security center services.

Upon execution it tries to connect the following IP address:

hxxp://50. [Removed].196.70/app/geoip.js
hxxp://67. [Removed].62.48/iframe?p=5861&c=31373&sc=136527315
hxxp://216. [Removed].166.114/data/?p=7f7fa3c97f9d46efa6525302bb50109a&cm=7&subid=31373_136527315
hxxp://67. [Removed].62.48/iframe?js=1
hxxp://68. [Removed].44.42/v50/AL/BCLDDOMReady5.js
hxxp://68. [Removed].44.42/v50/AC/BCAC5.js
hxxp://216. [Removed].166.113/dot.gif?d=4B8D-3679-CE36-7801-9E46-09F0-F463-9353&pc=&rand=4ad4f5eb-9d22-486f-b174-f49ec27e7464&fn=&ln=&Addr1=&Addr2=&city=&region=&email=&z=
hxxp://67. [Removed].62.48/redir2?cid=3000353541&fH=557&fW=1335&bX=3&bY=29&sX=1362&sY=590&if=1&frm=0&aj=1
hxxp://64. [Removed].28.146/fly?q=free+online+tax+services&enk=JpmGqeahj5GG4ybjJpnGuUbjJpnGiaaRxoEniY+Jj4k=
hxxp://95. [Removed].206.229/?AID=217465&MID=333137&PID=9410&CID=3719411&WID=35969&UID=13672&UID2=RON
hxxp://95. [Removed].206.229/DetectFlash.js
hxxp://115. [Removed].0.30/hotels?ts_code=846a8&utm_source=omg-in&utm_medium=affiliate&utm_campaign=OMG_Affiliate&utm_content=banner
hxxp://115. [Removed].0.30/assets/homepage-aef08bc16765a7fecd4fcc4c6661f2e6.css
hxxp://115. [Removed].0.30/assets/new-theme-8d86bc4bcfa390b89b1e2583a575a154.css
hxxp://74. [Removed].128.95/css?family=Open+Sans:300,400,700,600
hxxp://115.112.0.30/assets/homepage-df27ed068b4803a4bfc604106312786e.js
hxxp://115.112.3.5/JS/socialize.js?apikey=3_28ZV1cosfIGVPrNpMFGnaUkj5PFsluFdIpeRsn30WNkT0J_YwNJJL8k1xik3eFQx
hxxp://115. [Removed].0.30/assets/countrysite/wego/gigya-a0142d4ca7ffc2d2c6883e14abc2a7ea.js
hxxp://54. [Removed].168.2/js/ga/gawego.js
hxxp://74. [Removed].236.100/analytics.js
hxxp://74. [Removed].135.154/dc.js
hxxp://74. [Removed].236.122/gampad/google_service.js
hxxp://175. [Removed].9.68/WRd.js
hxxp://74. [Removed].236.100/plugins/ga/inpage_linkid.js
hxxp://74. [Removed].236.122/gampad/google_ads.js
hxxp://216. [Removed].166.114/data/Complete.aspx
1.[Removed].185.223
1. [Removed].171.76
10. [Removed].173.1
100.[Removed].74
100.[Removed].66
106.[Removed].151
108.[Removed].123
109.[Removed].2
110.[Removed].75
113.[Removed].117
113.[Removed].216
114.[Removed].216
114.[Removed].188
115.[Removed].2
120.[Removed].182
122.[Removed].74
123.[Removed].97
13.[Removed].199
130.[Removed].151
131.[Removed].93
131.[Removed].188
131.[Removed].114
134.[Removed].37
135.[Removed].58
13672.my[Removed]ind.com
14.[Removed].68
14.[Removed].174
143.[Removed].174
143.[Removed].216
145.[Removed].95
146.[Removed].64
149.[Removed].14
154.[Removed].74
155.[Removed].186
155.[Removed].14
155.[Removed].117
16.[Removed].24
164.[Removed].24
166.[Removed].139
17.[Removed].1
181.[Removed].31
186.[Removed].24
188.[Removed].81
19.[Removed].80
196.[Removed].14
199.[Removed].13
2.[Removed].54
2.[Removed].202
202.[Removed].66
203.[Removed].88
203.[Removed].74
204.[Removed].116
205.[Removed].181
205.[Removed].24
206.[Removed].187
206.[Removed].173
206.[Removed].116
209.[Removed].49
21.[Removed].58
210.[Removed].117
210.[Removed].70
210.[Removed].177
211.[Removed].149
211.[Removed].186
211.[Removed].82
211.[Removed].82
212.[Removed].46
212.[Removed].59
214.[Removed].98
214.[Removed].70
215.[Removed].201
215.[Removed].79
215.[Removed].115
216.[Removed].113
216.[Removed].114
216.[Removed].143
216.[Removed].46
216.[Removed].190
219.[Removed].118
219.[Removed].24
219.[Removed].60
219.[Removed].75
22.[Removed].96
220.[Removed].114
221.[Removed].69
221.[Removed].69
221.[Removed].74
222.[Removed].186
222.[Removed].212
222.[Removed].151
224.[Removed].37
224.[Removed].68
225.[Removed].95
225.[Removed].65
227.[Removed].201
227.[Removed].84
227.[Removed].177
228.[Removed].111
228.[Removed].188
228.[Removed].213
229.[Removed].95
230.[Removed].98
232.[Removed].184
234.[Removed].82
234.[Removed].66
234.[Removed].87
235.[Removed].99
237.[Removed].78
239.[Removed].88
240.[Removed].190
240.[Removed].119
240.[Removed].24
240.[Removed].117
240.[Removed].202
241.[Removed].49
242.[Removed].128
242.[Removed].59
242.[Removed].1
242.[Removed].68
243.[Removed].114
243.[Removed].37
243.[Removed].27
244.[Removed].24
244.[Removed].173
245.[Removed].50
245.[Removed].75
245.[Removed].5
246.[Removed].117
247.[Removed].24
248.[Removed].173
248.[Removed].98
249.[Removed].217
249.[Removed].190
25.[Removed].91
25.[Removed].98
250.[Removed].126
250.[Removed].124
250.[Removed].217
250.[Removed].239
252.[Removed].180
252.[Removed].1
252.[Removed].75
252.[Removed].117
252.[Removed].87
253.[Removed].69
253.[Removed].65
253.[Removed].95
253.[Removed].188
253.[Removed].85
253.[Removed].123
253.[Removed].66
254.[Removed].173
254.[Removed].190
254.[Removed].116
254.[Removed].24
254.[Removed].76
254.[Removed].71
254.[Removed].115
254.[Removed].117
254.[Removed].119
254.[Removed].134
254.[Removed].135
254.[Removed].166
254.[Removed].180
254.[Removed].182
254.[Removed].184
254.[Removed].190
254.[Removed].206
254.[Removed].222
254.[Removed].69
254.[Removed].71
254.[Removed].87
254.[Removed].88
254.[Removed].92
254.[Removed].192
255.[Removed].255
3.[Removed].194
3.[Removed].194
30.[Removed].115
31373.[Removed].adsimilate.com
32.[Removed].68
33.[Removed].75
33.[Removed].106
33.[Removed].85
34.[Removed].67
36.[Removed].82
42.[Removed].68
48.[Removed].67
5.[Removed].115
50.[Removed].70
57.[Removed].71
57.[Removed].116
58.[Removed].216
5803.m[Removed]tr3.com
59.[Removed].67
6.[Removed].84
6.[Removed].76
60.[Removed].14
64.[Removed].50
64.[Removed].146
64.[Removed].117
67.[Removed].48
68.[Removed].36
68.[Removed].175
7.[Removed].75
70.[Removed].50
74.[Removed].24
74.[Removed].114
74.[Removed].118
74. [Removed].54.69
76. [Removed].91.84
78. [Removed].158.78
79. [Removed].225.92
8. [Removed].236.24
8. [Removed].8.8
8. [Removed].79.106
81. [Removed].227.78
82. [Removed].88.203
86. [Removed].232.118
88. [Removed].20.184
9. [Removed].176.114
95. [Removed].125.74
95. [Removed].206.229
ad.yiel[Removed]ager.com
bcpd.x7[Removed]365.com
cdn.g[Removed]ya.com
ck.ads.af[Removed]ity.com
clients.bl[Removed]ava.com
ds.blu[Removed]ava.com
fonts.go[Removed]pis.com
j.m[Removed]ind.com
s.c[Removed]ale.net
stats.g.do[Removed]lick.net
track.in.o[Removed]m.com
www.me[Removed]wego.com
www.we[Removed]o.co.in

Upon execution it drops files into the following location:

%SYSTEMDRIVE%\RECYCLER\S-1-5-21[Varies]\$8799278523af799c26e02500d72b61fb\@
%SYSTEMDRIVE%\RECYCLER\S-1-5-21[Varies]\$8799278523af799c26e02500d72b61fb\n
%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$8799278523af799c26e02500d72b61fb\@
%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$8799278523af799c26e02500d72b61fb\n

The following are the registry keys values have been added to the system:

HKey_Users\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000

The above registry confirms that the rootkit disables the proxy setting.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Capabilities: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMDEBUG\0000\Capabilities: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMMEMCTL\0000\Capabilities: 0x00000000
HKU\S-1-5-21[Varies]\Software\Classes\clsid\{GUID}\InprocServer32\ThreadingModel: "Both"
HKU\S-1-5-21[Varies]\Software\Classes\clsid\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-21[Varies]\$8799278523af799c26e02500d72b61fb\n."
HKU\S-1-5-21[Varies]_Classes\clsid\{GUID}\InprocServer32\ThreadingModel: "Both"
HKU\S-1-5-21[Varies]_Classes\clsid\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-21[Varies]\$8799278523af799c26e02500d72b61fb\n."

The above mentioned registry entries ensures that the rootkit registers with the compromised system and execute itself upon every reboot.

The following are the registry keys have been modified to the system:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\: "%WINDIR%\system32\wbem\fastprox.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$8799278523af799c26e02500d72b61fb\n."

The above mentioned registry entries ensures that the rootkit registers with the compromised system and execute itself upon every reboot.

The following are the registry keys have been deleted from the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\%SYSTEMDRIVE%\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]: "LowDateTime:279289344,HighDateTime:29924911***Binary mof compiled successfully"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control\ActiveService: "SharedAccess"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\
    • Service: "SharedAccess"
    • Legacy: 0x00000001
    • ConfigFlags: 0x00000020
    • Class: "LegacyDriver"
    • ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDes%Systemdrive% "Windows Firewall/Internet Connection Sharing (ICS)"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control\
    • ActiveService: "wscsvc"
    • Service: "wscsvc"
    • Legacy: 0x00000001
    • ConfigFlags: 0x00000020
    • Class: "LegacyDriver"
    • ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDes%Systemdrive% "Security Center"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\DependOnGroup: 00
    • DependOnService: 'Netman WinMgmt'
    • Description: "Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
    • DisplayName: "Windows Firewall/Internet Connection Sharing (ICS)"
    • ErrorControl: 0x00000001
    • ImagePath: "%SystemRoot%\system32\svchost.exe -k netsvcs"
    • ObjectName: "LocalSystem"
    • Start: 0x00000002
    • Type: 0x00000020
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000011
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ServiceDll: "%SystemRoot%\System32\ipnathlp.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ServiceUpgrade: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\
    • 0: "Root\LEGACY_SHAREDACCESS\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum\
    • 0: "Root\LEGACY_WSCSVC\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security\Security: [Binary data]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters\ServiceDll: "%SYSTEMROOT%\system32\wscsvc.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\
    • Type: 0x00000020
    • Start: 0x00000002
    • ErrorControl: 0x00000001
    • ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs"
    • DisplayName: "Security Center"
    • DependOnService: 'RpcSs winmgmt'
    • ObjectName: "LocalSystem"
    • Description: "Monitors system security settings and configurations."

The above registry entries confirms that the rootkit tries to deletes the entries that are related to firewall and windows security, it also disables shared access service.

----------------------Updated on February 15, 2013----------------------------------------

Aliases :

  •           Microsoft           -    Trojan:Win32/Sirefef.BC
  •           Nod32               -     Win32/Kryptik.ASXG(Varient)
  •           Norman             -    ZAccess.ABNS
  •           Ikarus                -    Trojan.Win32.Sirefef
  •           BitDefender        -    Gen:Variant.Barys.11289



ZeroAccess.hr is installed on a system by a malicious executable. Once this dropper is executed, it will install the rootkit which will perform the actions described in this document.

Upon execution it tries to connect the following IP address:

  • 50.[Removed].196.70


Upon execution it drops files into the following location:


  • %SYSTEMDRIVE%\RECYCLER\S-1-5-21-[Varies]\$698a2431bf10457d451afdf8d202d9b0\@
  • %SYSTEMDRIVE%\RECYCLER\S-1-5-21-[Varies]\$698a2431bf10457d451afdf8d202d9b0\n
  • %SYSTEMDRIVE%\RECYCLER\S-1-5-18\$698a2431bf10457d451afdf8d202d9b0\@
  • %SYSTEMDRIVE%\RECYCLER\S-1-5-18\$698a2431bf10457d451afdf8d202d9b0\n



The following are the registry keys have been added to the system:

  • HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid
  • HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid\{GUID}
  • HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid\{GUID}\InprocServer32
  • HKEY_USERS\S-1-5-[Varies]_Classes\clsid
  • HKEY_USERS\S-1-5-[Varies]_Classes\clsid\{GUID}
  • HKEY_USERS\S-1-5-[Varies]_Classes\clsid\{GUID}\InprocServer32



The following are the registry keys values have been added to the system:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\DeleteFlag: 0x00000001
  • HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid\{GUID}\InprocServer32\ThreadingModel: "Both"
  • HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid\{GUID}\InprocServer32\:"%SYSTEMDRIVE%\RECYCLER\S-1-5-[Varies]\$698a2431bf10457d451afdf8d202d9b0\n."
  • HKEY_USERS\S-1-5-[Varies]_Classes\clsid\{GUID}\InprocServer32\ThreadingModel: "Both"
  • HKEY_USERS\S-1-5-[Varies]_Classes\clsid\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-[Varies]\$698a2431bf10457d451afdf8d202d9b0\n."


The above mentioned registry entries ensures that the worm registers with the compromised system and execute itself upon every reboot.

The following are the registry keys have been modified to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\: "%WINDIR%\system32\wbem\fastprox.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$698a2431bf10457d451afdf8d202d9b0\n."


The above mentioned registry entries ensures that the worm registers with the compromised system and execute itself upon every reboot.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ErrorControl: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ErrorControl: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start: 0x00000004



The above registry confirms that the root kit disables shared access service.

The following are the registry keys have been deleted from the system:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).