For Home

Virus Profile: ZeroAccess

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/7/2011
Date Added: 9/7/2011
Origin: N/A
Length: varies
Type: Trojan
Subtype: Rootkit
DAT Required: 6462
Removal Instructions
   
 
 
   

Description

Rootkits are programs that can potentially be used by any malware to hide, or stealth, files, processes, registry keys, and network connections. ZeroAccess.a is one of such detections for this class of malicious programs. Unlike viruses, ZeroAccess does not self-replicate. It is spread manually, often under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases -

  • F-Secure - Trojan.Clicker.NAE
  • Kaspersky - Trojan.Win32.Genome.adags
  • Microsoft - Trojan:Win32/Sirefef.J
  • NOD32 - Win32/Sirefef.DV

Indication of Infection

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Methods of Infection

ZeroAccess is usually installed by a dropper component that may come to the machine from different sources. Recent variants have been observed to come together with Fake Antivirus software.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

   

Virus Characteristics

---- Updated on July-18-2012 -----

ZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System. There has been a major shift over the last few months in the way it infects the machine. Previously Zero access infected the Kernel  by rewriting system files with its kernel mode component, in order to run at elevated privilege when the system boots, but this version has no kernel mode component and operates entirely in user space.

ZeroAccess is usually installed on a system by a malicious executable. Once this dropper is executed, it will install the rootkit which will perform the actions described in this document.

Aliases

  • Microsoft - TrojanDropper:Win32/Sirefef.B
  • Kaspersky - Trojan-Dropper.Win32.ZAccess, Backdoor.Win32.ZAccess
  • Norman - W32/ZAccess.F, W32/Zbot.WTG
  • Symantec - Trojan.Zeroaccess
  • Sophos - Troj/ZAccess-F, Mal/Zbot-CX
  • F-Secure - Gen:Variant.Kazy.28752, Trojan.Generic.KD.348130

Upon execution it drops dll with the following names:

  •  “%WINDIR%\Installer\<GUID>\n”
  •   %USERPROFILE%\Local Settings\Application Data\<GUID>\n”

The dll is then injected into svchost.exe and explorer.exe.

Upon Execution malware connect using UDP protocol to the following IP addresses:

  • 212.178.[Removed].255
  • 105.136.[Removed].70
  • 186.122.[Removed].72
  • 72.145.[Removed].77
  • 37.143.[Removed].78
  • 196.46.[Removed].81
  • 95.158.[Removed].210
  • 163.121.[Removed].209
  • 201.83.[Removed].209
  • 46.230.[Removed].208
  • 77.254.[Removed].255
  • 213.222.[Removed].255
  • 176.237.[Removed].255
  • 32.300.[Removed].255

The following registry keys are created on the system: 

  • HKEY_CURRENT_USER\Software\Classes\clsid\<VALUE>: "%USERPROFILE%\Local Settings\Application Data\<GUID>\n."

The following registry keys are values are modified on the system:

  •  HKCR\CLSID\{GUID}\InprocServer32:%systemroot%\system32\wbem\wbemess.dll
  • HKCR\CLSID\{GUID}\InprocServer32:%\.\globalroot\systemroot\Installer\<GUID>\n.

The above registry ensures that the malware is loaded instead of ”wbemess.dll” which is a part of core management of windows called WMI.

On Windows 7 and Vista it overwrites 704 bytes of the function “ScRegisterTCPEndpoint” present in “services.exe” with malicious code.

The above image ensures that it overwrites the function in services.exe

It stores the malicious content in Extended Attributes of an NTFS record.


The above image is the NTFS Extended attributes

When the infected “services.exe” is loaded, the malicious code reads the extended attributes where the actual malicious code resides.

The above image displays the function which checks for the hash of the EA and then loads it.

 It also strips services.exe of ASLR capability which makes windows load services.exe on the same address every time.


The above image shows the Missing ASLR

----- Updated on June-08-2012 -----

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Norman - W32/ZAccess.BTW
  • NOD32 - a variant of Win32/Sirefef.EV
  • Kaspersky - HEUR:Trojan.Win32.Generic
  • Microsoft - Trojan: Win32/Sirefef.P

ZeroAccess” is detection for this Trojan that uses an advanced rootkit to hide itself. It is often installed through drive-by-download attacks from malicious web sites.

ZeroAccess” also create an encrypted, hidden file system, download more malware, and open a back door activity on the compromised or infected machine.

When executed it tries to connect to the following URL through a remote port 80 to download other malicious files.

  • Pr[Removed]ng.com
  • Pr[Removed]ng.com/geo/txt/city.php

The Trojan creates the following files into the below location

  • %AppData%\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\@
  • %AppData%\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\n
  • %windir%\Installer\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\@
  • %windir%\Installer\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\n

And adds the following directories into the system

  • %AppData%\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}
  • %AppData%\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\L
  • %AppData%\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\U
  • %windir%\Installer\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}
  • %windir%\Installer\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\L
  • %windir%\Installer\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\U

The following registry key has been added:

  • HKEY_USER\S-1-[varies]\Software\Classes\clsid
  • HKEY_USER\S-1-[varies]\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}
  • HKEY_USER\S-1-[varies]\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32
  • HKEY_USER\S-1-5-[varies]_Classes\clsid
  • HKEY_USER\S-1-5-[varies]_Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}
  • HKEY_USER\S-1-5-[varies]_Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32

The following registry values has been added

  • HKEY_USER\S-1-[varies]\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel: "Both"
  • HKEY_USER\S-1-[varies]\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\: "%AppData%\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\n."
  • HKEY_USER\S-1-[varies]_Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel: "Both"
  • HKEY_USER\S-1-[varies]_Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\: "%AppData%\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\n.

And the below registry values has been modified to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\: “%windir%\System32\wbem\wbemess.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\: "\ \.\globalroot\systemroot\Installer\{38bdd0e7-d58f-cb6a-8971-7f991d636ea7}\n."
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\
    "LibraryPath" = "%SystemRoot%\System32\mswsock.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\
    "LibraryPath" = "mswsock.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\
    "LibraryPath" = "%SystemRoot%\System32\mswsock.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\
    "LibraryPath" = "mswsock.dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem: [Binary Data]
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem: 6D 73 77 73 6F
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem: 6D 73 77 7
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem: 6D 73 77 73 6F 63 6B 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem: 6D 73 77 73 6F 63 6B 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem: 6D 73 77 73 6F 63 6B 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Also the Trojan deletes the following registry keys

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security

----- Updated on Jan-30-2012 -----

"ZeroAccess" is a family of Rootkits, capable of infecting the Windows Operating System. On infection, it overwrite Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.

ZeroAccess Trojan patches system files to load its malicious code. The original file content is overwritten, but the original system file is kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in an unsuspecting file on disk.

ZeroAccess is usually installed on a system by a malicious executable. Once this dropper is executed, it will install the rootkit which will perform the actions described below:

ZeroAccess Trojan moderates an infected user's Internet experience by modifying search results, and generating pay-per-click advertising revenue for the owner of the website.

The Trojan connects to the below mentioned site

  • hxxp://removed[.fling.com/geo/txt/city.php
  • hxxp://prom[Removed]ing.com/geo/txt/city.php

Note: [%WinDir%\ -C:\Windows]

------

A complete description of this malicious family can be found on the VIL page for ZeroAccess.a
   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.