For Consumer

Virus Profile: ZeroAccess.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/16/2011
Date Added: 8/16/2011
Origin: N/A
Length: varies
Type: Trojan
Subtype: Rootkit
DAT Required: 6440
Removal Instructions
   
 
 
   

Description

Rootkits are programs that can potentially be used by any malware to hide, or stealth, files, processes, registry keys, and network connections. ZeroAccess.a is one of such detections for this class of malicious programs. Unlike viruses, ZeroAccess does not self-replicate. It is spread manually, often under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks,etc.

Indication of Infection

  • The presence of files and registry keys as mentioned above
  • The presence of the network communications mentioned above
  • Security tools get killed and disabled when scanning the system.
  • Un-expected DACL modifications to process/file scanning tools
  • The presence of system hooks mentioned above.

Methods of Infection

ZeroAccess is usually installed by a dropper component that may come to the machine from different sources. One usual method that machines get infected is by downloading and executing small executable files used to crack applications. These crack tools can be found in many different websites devoted to distributing cracked applications. These sites also are known to distribute malicious files and exploits, and thus accessing unknown websites should be avoided to lower the chance of getting infected.

Some recent variants have been observed to come together with Fake Antivirus software or W32/Katusha file infector virus. ZeroAccess is downloaded by these components at each system reboot, which make it very difficult to get rid of it.

   

Virus Characteristics

ZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System. On infection, it overwrite Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.

ZeroAccess patches system files to load its malicious code. The original file content is overwritten, but the original system file is kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in an unsuspecting file on disk.

ZeroAccess is usually installed on a system by a malicious executable. Once this dropper is executed, it will install the rootkit which will perform the actions described below:

NOTE: A detailed description of this malware can be found on our Threat Advisory page here.


The following files are changed or created by the malware:

  • The rootkit will create a file with a random name in %SYSTEMROOT%\system32\config\[random]<RANDOM> or c:\windows\prefetch\[random]<RANDOM>. This file will be used to store a virtual encrypted file system, used by the rootkit to store its configuration files and other supporting files.
  • Some recent variants are creating a hidden folder named c:\windows\$NtUninstallKB[random]<RANDOM>$ to store its files.
  • ZeroAccess will then patch a randomly chosen system driver file. The patched file will be used as the rootkit’s restart mechanism to load its malicious kernel component when the system boots.
  • The malware will create a trip-wire file which will be monitored to detect security tools scanning the system. Any process touching this file will be terminated. The file may be created as a system device or as an ADS (Alternate Data Stream) as follows:
    \\??\Global\systemroot\system32\svchost.exe\svchost.exe
    %SYSTEMROOT%\[random]<RANDOMNUMBERS>:[random]<RANDOMNUMBERS>.exe
(where %SYSTEMROOT% represents the folder where Windows is installed, usually C:\Windows)

The following registry keys are changed or created:

  • The malware then creates a service, and points the service's ImagePath key to the file above, to run it every time the system boots. The following is an example of such key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54e61bbc\Type: 0x00000001
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54e61bbc\Start: 0x00000003
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54e61bbc\ImagePath: "\systemroot\3155945044:2870600771.exe"
  • It may also create the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{f8cec7e5-22d1-631d-b463-054fb5b74060}

In newer variants, besides killing the process, the rootkit component will also remove all NTFS permissions from the offending files (by modifying its DACL) and install an Image File Execution Option to disable execution of the file. This action is an attempt to disable security related tools and components.


Network Activity

ZeroAccess will report its installation and user activity to a remote server. Since the rootkit hides network connections from any tool running on the infected machine, system administrators may need to use external monitoring tools to check the network activity.

After infection, the malware will report installation and system activity using HTTP requests. These requests are usually made to destination port 80 but some variants also use port 8083 to communicate.

The requests have the following characteristics:

GET /stat2.php?w=46&i=d5d6a3459af7a34558e98254eb873a62&a=11 HTTP/1.1
Host: <IP_ADDRESS>
User-Agent: Opera/6 (Windows NT 5.1; U; LangID=416; x86)

GET /bad.php?w=109&fail=0&i=d5d6a3459af7a3457ce3916737df5160 HTTP/1.1
Connection: keep-alive
Host: <IP_ADDRESS>
User-Agent: Opera/6 (Windows NT 5.1; U; LangID=416; x86)

The following user-agent may also be used:

GET /%s HTTP/1.0
Host: %s
User-Agent: NSIS_Inetc (Mozilla)

During our test replication, the following IP addresses were contacted by the malware:

  • 95.64.46.44
  • 193.105.154.210
  • 69.50.212.157
  • 85.17.226.180

Rootkit Behavior
The rootkit component of ZeroAccess utilizes an advanced method for protecting itself and disabling any security tool trying to detect and remove it.

When a security tool tries to access the monitored file on disk or the service process in memory, the rootkit identifies the access attempt, triggering its protection system.

The protection consists of killing the process from kernel mode, making it effective against any type of security tool.

The rootkit also hooks some system APIs, an example of such hooks are shown below as depicted in the log by the publicly available GMER tool:

---- Kernel code sections - GMER 1.0.15 ----
.text  ntkrnlpa.exe!IoReuseIrp + 8B                        804EE879 7 Bytes  CALL F60880F5
.text  atapi.sys                                           F850384D 7 Bytes  CALL F60838F0
.text  mrxsmb.sys                                          F6D93000 107 Bytes  [06, 0F, 83, 2D, B5, 00, 00, ...]
.text  mrxsmb.sys                                          F6D9306C 101 Bytes  [EC, 8B, 45, 08, 8B, 40, 40, ...]
.text  mrxsmb.sys                                          F6D930D2 52 Bytes  CALL 386296E7
.text  mrxsmb.sys                                          F6D93107 31 Bytes  [90, 90, 90, 90, 90, FF, 25, ...]
.text  mrxsmb.sys                                          F6D93127 42 Bytes  [F6, 42, 08, 80, 0F, 84, C5, ...]

---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT    \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!HalGetAdapter]          840FFC4D
IAT    \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!IoWritePartitionTable]  00008258
IAT    \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!HalDisplayString]       0F01FE83

   

For most previous variants of this malware, McAfee provides protection via signatures. Please ensure to have the most up to date DATs and Engine. For the most recent variant where McAfee (or your security product) may be disabled, please follow the following manual cleaning instructions. A standalone tool may be provided in the near future to help remediate this Threat.


NTFS Folder Permission Alteration
Besides killing any security tool trying to access its files or processes, newer variants of ZeroAccess implemented a new protection method to disable security tools.
Once the process is killed, the rootkit will remove all NTFS permissions disallowing the execution of the file afterwards. This method of disabling security tools has been seen before in malware families like W32/Pinkslipbot and W32/Simfect.
The file permissions may be restored by running the following actions.


  1. Right-click the parent folder of the affected files and choose Properties.
  2. In the window that opens, chose the Security Tab.
  3. Click in Advanced.
  4. There will be two checkboxes below the list of permissions. If the checkbox for Inherit Parents Permissions is checked, uncheck it.
  5. Check the Inherit box again to inherit permissions from the parent folder.
  6. Check the box to copy permissions to children objects. This will replace the permissions that were removed by the malware.
  7. Do not execute VSE until executing the procedures below, or it will be killed again.


Manual Remediation steps:
The malicious code is loaded by the patched system driver. In order to clean the system manually, it’s necessary to identify the malicious .SYS file and replace it with a good copy from installation media.
In order to identify which system driver was replaced, the user is going to need the following tool:



  1. First of all, the machine must be disconnected from the internet to avoid reinfection in case any other malware is downloading and installing ZeroAccess.
  2. Execute GMER, and disable the options as shown in the circle marked in RED below to avoid scanning the malware monitored file and process:

    GMER options

  3. Enable the option circled in BLUE to make GMER scan the system IRP hooks.
  4. Start the rootkit scan and wait for it to finish.
  5. If the system is infected, GMER will show the name of the patched .SYS file as shown in the YELLOW circle above. Take note of this name.
  6. Look at the following folder and search for a file with same name as noted above: %SYSTEMROOT%\ServicePackFiles\i386
  7. If there is a copy of the file in the folder above, copy it to the root of drive C:. It will be needed later.
  8. If the file is not present in the folder above, it will be necessary to copy the file from an installation media, or another machine with the same Windows version and language.
  9. Boot the infected machine with a clean boot media like BartPE or another boot CD.
  10. From the clean boot, copy the file stored in the root folder that was copied above, to the location of the patched system driver.
    ex: copy c:\mrxsmb.sys c:\windows\system32\drivers\mrxsmb.sys
  11. Reboot the system in safe mode and log in as the Administrator user.
  12. Execute the CSSCAN command line tool using the Beta DATs to remove any Trojan or infected file from the system:
    a. VSE 8.7: "C:\Program Files\McAfee\VirusScan Enterprise\csscan.exe" -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\

    b. VSE 8.8: “C:\Program Files\Common Files\McAfee\SystemCore\csscan.exe” -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\

    c.Other McAfee product users: Please use the following standalone tool Stinger
    In order to use the Stinger tool, please make sure the targets "Processes" and "Registry" are disabled and the interface "List of all files scanned" is enabled in the stinger before scanning the infected machine.

  13. Read more about using the Stinger tool here
  14. Reboot the system normally.
  15. Run GMER again to confirm that no malicious threads of patched files exist anymore.


Standalone Removal Tool Instructions:


Alternatively, McAfee is making available a standalone tool to detect and remove ZeroAccess rootkit from customer’s infected machines. The tool is available for download here

NOTE: McAfee has prepared this standalone tool to assist with the remediation of this threat. McAfee Quality Assurance team has minimally tested 0.60 version of this tool and McAfee makes no warranty that these files will be free from errors.


Extract the tool to a temporary folder. Run it by simply executing it from the command line. The following image shows what is expected in case the tool successfully detect and remove the malware:


ZeroAccess has been known to be accompanied by other malware. Therefore, as an option, customer may use the latest Beta DATs available here for the most up to date signatures. These may be used along with our command line scanner, csscan.exe as shown on the instructions above (Step 12 of Manual Cleaning instructions).

 

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95