Virus Characteristics
-----------------------Updated on 19 Mar 2013-----------------------------------------------
Aliases
Kaspersky - Backdoor.Win32.ZAccess.bnqz
Microsoft - TrojanDropper:Win32/Sirefef.gen!C
NOD32 - Win32/Sirefef.EV
Fortinet - W32/ZAccess.BNQZ!tr.bdr
Characteristics –
ZeroAccess.HR is detection for the rootkit family that uses to hide itself. It is often installed through drive-by-download attacks from malicious web sites. The Trojan helps to download other malicious files. It has the capabilities to perform Denial of Service (DoS) or Distributed DoS (DDoS). It also connects the following port no 16464.
ZeroAccess.HR disables system firewall, proxy and windows security center services.
Upon execution it tries to connect the following IP address:
- https://50.[Removed].70/app/geoip.js
- https://50.[Removed].70/app/geoip.js
- https://173.[Removed].122/click?i=6CQGQ5vc7WU_0
- https://208.[Removed].230/search/roller+banner+stands?src=509208fc824ac9c060000006&tsid=4310
- https://208.[Removed].230/search/twilight+engagement+ring?uuid=5146f8fab33852e84e000004
- https://208.[Removed].230/img/spinner.gif?1355468941
- https://208.[Removed].101/a/2?kw=twilight+engagement+ring
- https://74.[Removed].100/sync/img?mt_exid=10017&redir=http%3A%2F%2Fxref.io%2Fb%2F2%2F%5BMM_UUID%5D
- https://74.[Removed].100/sync/img?mt_exid=10017&redir=http%3A%2F%2Fxref.io%2Fb%2F2%2F%5BMM_UUID%5D&mm_bnc
- https://208.[Removed].101/b/2/12c45146-f8fb-4d00-b8da-65fe1dc84c8d
- https://208.[Removed].230/search/twilight+engagement+ring?uuid=5146f8fbb33852604e000009
- https://208.[Removed].230/c:OtfuHsy9_5Gi9qooE3spxq7aeMHvvynm4eJWKpa9hWa9xIF4xR1OP3MY3TrHO9A9z687rSgPuw-mTF6LLbOiu91vjO04Gf3x
- https://208.[Removed].140/_029bcf7818d6b0633884b03e0a831ce85146f8f86ed2e5.5462306401
- https://69.[Removed].34/campaign/landing.php?campaign_id=398450606895063&keyword=engagement+ring&placement=p&creative=1683214657&extra_1=6061029a-8bab-ac89-d2f5-00003a2789f1&partner_id=msnsem&extra_2=matchtype%3Dp
- j.m[Removed]d.com
- 50.[Removed].70
- 10009.j[Removed]tion.com
- 199.115.[Removed].198
- xml.plu[Removed]d.net
- 173.239. [Removed].122
- re[Removed]rn.com
- 208.96. [Removed].230
- x[Removed]f.io
- 208.113. [Removed].101
- sync.m[Removed]tag.com
- c.vi[Removed]ij.com
- 208.113. [Removed].140
- 1167.xg[Removed]n.com
- fbstatic-a. [Removed]aihd.net
- fbcdn-dragon-a. [Removed]maihd.net
- fbexternal-a. [Removed]maihd.net
The following are the folders created in the system
- %SYSTEMDRIVE%\RECYCLER\S-1-5-18
The following are the Registry key have been added to the system
- HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}
- HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}\InprocServer32
- HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}
- HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}\InprocServer32
The following registry values have been added to the system.
- HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Both"
- HKEY_USERS\S-1-5-21-[Varies]\Software\Classes\CLSID\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-21-[Varies]\$698a2431bf10457d451afdf8d202d9b0\n."
- HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Both"
- HKEY_USERS\S-1-5-21-[Varies]_Classes\CLSID\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-21-[Removed]\$698a2431bf10457d451afdf8d202d9b0\n."
The above mentioned registry entries ensures that the rootkit registers with the compromised system and execute itself upon every reboot.
The following are the registry key values modified from the system
- HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%WINDIR%\system32\wbem\fastprox.dll"
- HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$8799278523af799c26e02500d72b61fb\n."
The above registry entry confirms that the dropped file registered with the compromised system and gets execute upon system boot.
The following are the Registry keys deleted from the system in order to disables the Windows Firewall and Security center.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------Updated on 22 Feb 2013-----------------------------------------------
Aliases
Microsoft - Trojan:Win32/Sirefef.P
Nod32 - Win32/Kryptik.ATZC trojan (variant)
Norman - ZAccess.WLV
Fortinet - W32/ZAccess.BDGJ!tr.bdr
Ikarus - Trojan.Zeroaccess
ZeroAccess.HR is detection for the rootkit family that uses to hide itself. It is often installed through drive-by-download attacks from malicious web sites. The Trojan helps to download other malicious files. It has the capabilities to perform Denial of Service (DoS) or Distributed DoS (DDoS). It also connects the following port no 16464.
ZeroAccess.HR disables system firewall, proxy and windows security center services.
Upon execution it tries to connect the following IP address:
hxxp://50. [Removed].196.70/app/geoip.js
hxxp://67. [Removed].62.48/iframe?p=5861&c=31373&sc=136527315
hxxp://216. [Removed].166.114/data/?p=7f7fa3c97f9d46efa6525302bb50109a&cm=7&subid=31373_136527315
hxxp://67. [Removed].62.48/iframe?js=1
hxxp://68. [Removed].44.42/v50/AL/BCLDDOMReady5.js
hxxp://68. [Removed].44.42/v50/AC/BCAC5.js
hxxp://216. [Removed].166.113/dot.gif?d=4B8D-3679-CE36-7801-9E46-09F0-F463-9353&pc=&rand=4ad4f5eb-9d22-486f-b174-f49ec27e7464&fn=&ln=&Addr1=&Addr2=&city=®ion=&email=&z=
hxxp://67. [Removed].62.48/redir2?cid=3000353541&fH=557&fW=1335&bX=3&bY=29&sX=1362&sY=590&if=1&frm=0&aj=1
hxxp://64. [Removed].28.146/fly?q=free+online+tax+services&enk=JpmGqeahj5GG4ybjJpnGuUbjJpnGiaaRxoEniY+Jj4k=
hxxp://95. [Removed].206.229/?AID=217465&MID=333137&PID=9410&CID=3719411&WID=35969&UID=13672&UID2=RON
hxxp://95. [Removed].206.229/DetectFlash.js
hxxp://115. [Removed].0.30/hotels?ts_code=846a8&utm_source=omg-in&utm_medium=affiliate&utm_campaign=OMG_Affiliate&utm_content=banner
hxxp://115. [Removed].0.30/assets/homepage-aef08bc16765a7fecd4fcc4c6661f2e6.css
hxxp://115. [Removed].0.30/assets/new-theme-8d86bc4bcfa390b89b1e2583a575a154.css
hxxp://74. [Removed].128.95/css?family=Open+Sans:300,400,700,600
hxxp://115.112.0.30/assets/homepage-df27ed068b4803a4bfc604106312786e.js
hxxp://115.112.3.5/JS/socialize.js?apikey=3_28ZV1cosfIGVPrNpMFGnaUkj5PFsluFdIpeRsn30WNkT0J_YwNJJL8k1xik3eFQx
hxxp://115. [Removed].0.30/assets/countrysite/wego/gigya-a0142d4ca7ffc2d2c6883e14abc2a7ea.js
hxxp://54. [Removed].168.2/js/ga/gawego.js
hxxp://74. [Removed].236.100/analytics.js
hxxp://74. [Removed].135.154/dc.js
hxxp://74. [Removed].236.122/gampad/google_service.js
hxxp://175. [Removed].9.68/WRd.js
hxxp://74. [Removed].236.100/plugins/ga/inpage_linkid.js
hxxp://74. [Removed].236.122/gampad/google_ads.js
hxxp://216. [Removed].166.114/data/Complete.aspx
1.[Removed].185.223
1. [Removed].171.76
10. [Removed].173.1
100.[Removed].74
100.[Removed].66
106.[Removed].151
108.[Removed].123
109.[Removed].2
110.[Removed].75
113.[Removed].117
113.[Removed].216
114.[Removed].216
114.[Removed].188
115.[Removed].2
120.[Removed].182
122.[Removed].74
123.[Removed].97
13.[Removed].199
130.[Removed].151
131.[Removed].93
131.[Removed].188
131.[Removed].114
134.[Removed].37
135.[Removed].58
13672.my[Removed]ind.com
14.[Removed].68
14.[Removed].174
143.[Removed].174
143.[Removed].216
145.[Removed].95
146.[Removed].64
149.[Removed].14
154.[Removed].74
155.[Removed].186
155.[Removed].14
155.[Removed].117
16.[Removed].24
164.[Removed].24
166.[Removed].139
17.[Removed].1
181.[Removed].31
186.[Removed].24
188.[Removed].81
19.[Removed].80
196.[Removed].14
199.[Removed].13
2.[Removed].54
2.[Removed].202
202.[Removed].66
203.[Removed].88
203.[Removed].74
204.[Removed].116
205.[Removed].181
205.[Removed].24
206.[Removed].187
206.[Removed].173
206.[Removed].116
209.[Removed].49
21.[Removed].58
210.[Removed].117
210.[Removed].70
210.[Removed].177
211.[Removed].149
211.[Removed].186
211.[Removed].82
211.[Removed].82
212.[Removed].46
212.[Removed].59
214.[Removed].98
214.[Removed].70
215.[Removed].201
215.[Removed].79
215.[Removed].115
216.[Removed].113
216.[Removed].114
216.[Removed].143
216.[Removed].46
216.[Removed].190
219.[Removed].118
219.[Removed].24
219.[Removed].60
219.[Removed].75
22.[Removed].96
220.[Removed].114
221.[Removed].69
221.[Removed].69
221.[Removed].74
222.[Removed].186
222.[Removed].212
222.[Removed].151
224.[Removed].37
224.[Removed].68
225.[Removed].95
225.[Removed].65
227.[Removed].201
227.[Removed].84
227.[Removed].177
228.[Removed].111
228.[Removed].188
228.[Removed].213
229.[Removed].95
230.[Removed].98
232.[Removed].184
234.[Removed].82
234.[Removed].66
234.[Removed].87
235.[Removed].99
237.[Removed].78
239.[Removed].88
240.[Removed].190
240.[Removed].119
240.[Removed].24
240.[Removed].117
240.[Removed].202
241.[Removed].49
242.[Removed].128
242.[Removed].59
242.[Removed].1
242.[Removed].68
243.[Removed].114
243.[Removed].37
243.[Removed].27
244.[Removed].24
244.[Removed].173
245.[Removed].50
245.[Removed].75
245.[Removed].5
246.[Removed].117
247.[Removed].24
248.[Removed].173
248.[Removed].98
249.[Removed].217
249.[Removed].190
25.[Removed].91
25.[Removed].98
250.[Removed].126
250.[Removed].124
250.[Removed].217
250.[Removed].239
252.[Removed].180
252.[Removed].1
252.[Removed].75
252.[Removed].117
252.[Removed].87
253.[Removed].69
253.[Removed].65
253.[Removed].95
253.[Removed].188
253.[Removed].85
253.[Removed].123
253.[Removed].66
254.[Removed].173
254.[Removed].190
254.[Removed].116
254.[Removed].24
254.[Removed].76
254.[Removed].71
254.[Removed].115
254.[Removed].117
254.[Removed].119
254.[Removed].134
254.[Removed].135
254.[Removed].166
254.[Removed].180
254.[Removed].182
254.[Removed].184
254.[Removed].190
254.[Removed].206
254.[Removed].222
254.[Removed].69
254.[Removed].71
254.[Removed].87
254.[Removed].88
254.[Removed].92
254.[Removed].192
255.[Removed].255
3.[Removed].194
3.[Removed].194
30.[Removed].115
31373.[Removed].adsimilate.com
32.[Removed].68
33.[Removed].75
33.[Removed].106
33.[Removed].85
34.[Removed].67
36.[Removed].82
42.[Removed].68
48.[Removed].67
5.[Removed].115
50.[Removed].70
57.[Removed].71
57.[Removed].116
58.[Removed].216
5803.m[Removed]tr3.com
59.[Removed].67
6.[Removed].84
6.[Removed].76
60.[Removed].14
64.[Removed].50
64.[Removed].146
64.[Removed].117
67.[Removed].48
68.[Removed].36
68.[Removed].175
7.[Removed].75
70.[Removed].50
74.[Removed].24
74.[Removed].114
74.[Removed].118
74. [Removed].54.69
76. [Removed].91.84
78. [Removed].158.78
79. [Removed].225.92
8. [Removed].236.24
8. [Removed].8.8
8. [Removed].79.106
81. [Removed].227.78
82. [Removed].88.203
86. [Removed].232.118
88. [Removed].20.184
9. [Removed].176.114
95. [Removed].125.74
95. [Removed].206.229
ad.yiel[Removed]ager.com
bcpd.x7[Removed]365.com
cdn.g[Removed]ya.com
ck.ads.af[Removed]ity.com
clients.bl[Removed]ava.com
ds.blu[Removed]ava.com
fonts.go[Removed]pis.com
j.m[Removed]ind.com
s.c[Removed]ale.net
stats.g.do[Removed]lick.net
track.in.o[Removed]m.com
www.me[Removed]wego.com
www.we[Removed]o.co.in
Upon execution it drops files into the following location:
%SYSTEMDRIVE%\RECYCLER\S-1-5-21[Varies]\$8799278523af799c26e02500d72b61fb\@
%SYSTEMDRIVE%\RECYCLER\S-1-5-21[Varies]\$8799278523af799c26e02500d72b61fb\n
%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$8799278523af799c26e02500d72b61fb\@
%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$8799278523af799c26e02500d72b61fb\n
The following are the registry keys values have been added to the system:
HKey_Users\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000
The above registry confirms that the rootkit disables the proxy setting.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Capabilities: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMDEBUG\0000\Capabilities: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMMEMCTL\0000\Capabilities: 0x00000000
HKU\S-1-5-21[Varies]\Software\Classes\clsid\{GUID}\InprocServer32\ThreadingModel: "Both"
HKU\S-1-5-21[Varies]\Software\Classes\clsid\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-21[Varies]\$8799278523af799c26e02500d72b61fb\n."
HKU\S-1-5-21[Varies]_Classes\clsid\{GUID}\InprocServer32\ThreadingModel: "Both"
HKU\S-1-5-21[Varies]_Classes\clsid\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-21[Varies]\$8799278523af799c26e02500d72b61fb\n."
The above mentioned registry entries ensures that the rootkit registers with the compromised system and execute itself upon every reboot.
The following are the registry keys have been modified to the system:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\: "%WINDIR%\system32\wbem\fastprox.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$8799278523af799c26e02500d72b61fb\n."
The above mentioned registry entries ensures that the rootkit registers with the compromised system and execute itself upon every reboot.
The following are the registry keys have been deleted from the system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\%SYSTEMDRIVE%\WINDOWS\system32\DRIVERS\ipnat.sys[IPNATMofResource]: "LowDateTime:279289344,HighDateTime:29924911***Binary mof compiled successfully"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control\ActiveService: "SharedAccess"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\
- Service: "SharedAccess"
- Legacy: 0x00000001
- ConfigFlags: 0x00000020
- Class: "LegacyDriver"
- ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDes%Systemdrive% "Windows Firewall/Internet Connection Sharing (ICS)"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\NextInstance: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control\
- ActiveService: "wscsvc"
- Service: "wscsvc"
- Legacy: 0x00000001
- ConfigFlags: 0x00000020
- Class: "LegacyDriver"
- ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDes%Systemdrive% "Security Center"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\NextInstance: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\DependOnGroup: 00
- DependOnService: 'Netman WinMgmt'
- Description: "Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
- DisplayName: "Windows Firewall/Internet Connection Sharing (ICS)"
- ErrorControl: 0x00000001
- ImagePath: "%SystemRoot%\system32\svchost.exe -k netsvcs"
- ObjectName: "LocalSystem"
- Start: 0x00000002
- Type: 0x00000020
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000011
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ServiceDll: "%SystemRoot%\System32\ipnathlp.dll"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ServiceUpgrade: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\
- 0: "Root\LEGACY_SHAREDACCESS\0000"
- Count: 0x00000001
- NextInstance: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum\
- 0: "Root\LEGACY_WSCSVC\0000"
- Count: 0x00000001
- NextInstance: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security\Security: [Binary data]
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters\ServiceDll: "%SYSTEMROOT%\system32\wscsvc.dll"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\
- Type: 0x00000020
- Start: 0x00000002
- ErrorControl: 0x00000001
- ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs"
- DisplayName: "Security Center"
- DependOnService: 'RpcSs winmgmt'
- ObjectName: "LocalSystem"
- Description: "Monitors system security settings and configurations."
The above registry entries confirms that the rootkit tries to deletes the entries that are related to firewall and windows security, it also disables shared access service.
----------------------Updated on February 15, 2013----------------------------------------
Aliases :
- Microsoft - Trojan:Win32/Sirefef.BC
- Nod32 - Win32/Kryptik.ASXG(Varient)
- Norman - ZAccess.ABNS
- Ikarus - Trojan.Win32.Sirefef
- BitDefender - Gen:Variant.Barys.11289
ZeroAccess.hr is installed on a system by a malicious executable. Once this dropper is executed, it will install the rootkit which will perform the actions described in this document.
Upon execution it tries to connect the following IP address:
Upon execution it drops files into the following location:
- %SYSTEMDRIVE%\RECYCLER\S-1-5-21-[Varies]\$698a2431bf10457d451afdf8d202d9b0\@
- %SYSTEMDRIVE%\RECYCLER\S-1-5-21-[Varies]\$698a2431bf10457d451afdf8d202d9b0\n
- %SYSTEMDRIVE%\RECYCLER\S-1-5-18\$698a2431bf10457d451afdf8d202d9b0\@
- %SYSTEMDRIVE%\RECYCLER\S-1-5-18\$698a2431bf10457d451afdf8d202d9b0\n
The following are the registry keys have been added to the system:
- HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid
- HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid\{GUID}
- HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid\{GUID}\InprocServer32
- HKEY_USERS\S-1-5-[Varies]_Classes\clsid
- HKEY_USERS\S-1-5-[Varies]_Classes\clsid\{GUID}
- HKEY_USERS\S-1-5-[Varies]_Classes\clsid\{GUID}\InprocServer32
The following are the registry keys values have been added to the system:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\DeleteFlag: 0x00000001
- HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid\{GUID}\InprocServer32\ThreadingModel: "Both"
- HKEY_USERS\S-1-5-[Varies]\Software\Classes\clsid\{GUID}\InprocServer32\:"%SYSTEMDRIVE%\RECYCLER\S-1-5-[Varies]\$698a2431bf10457d451afdf8d202d9b0\n."
- HKEY_USERS\S-1-5-[Varies]_Classes\clsid\{GUID}\InprocServer32\ThreadingModel: "Both"
- HKEY_USERS\S-1-5-[Varies]_Classes\clsid\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-[Varies]\$698a2431bf10457d451afdf8d202d9b0\n."
The above mentioned registry entries ensures that the worm registers with the compromised system and execute itself upon every reboot.
The following are the registry keys have been modified to the system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\: "%WINDIR%\system32\wbem\fastprox.dll"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$698a2431bf10457d451afdf8d202d9b0\n."
The above mentioned registry entries ensures that the worm registers with the compromised system and execute itself upon every reboot.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ErrorControl: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ErrorControl: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start: 0x00000002
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start: 0x00000004
The above registry confirms that the root kit disables shared access service.
The following are the registry keys have been deleted from the system:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
-