Virus Profile: ZeroAccess-FBA

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/6/2013
Date Added: 8/9/2013
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Rootkit
DAT Required: 7160
Removal Instructions
   
 
 
   

Description

ZeroAccess” is a family of Rootkits, capable of infecting the Windows Operating System. There has been a major shift over the last few months in the way it infects the machine. Previously Zero access infected the Kernel  by rewriting system files with its kernel mode component, in order to run at elevated privilege when the system boots, but this version has no kernel mode component and operates entirely in user space.

Aliases-
  • Kaspersky   -    Backdoor.Win32.ZAccess.csvq
  • Microsoft     -    TrojanDropper:Win32/Sirefef.gen!D
  • Nod32         -    Win32/Kryptik.BHHX
  • Norman      -    winpe/Kryptik.CCEI

Indication of Infection

Presence of above mentioned activities.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc
   

Virus Characteristics

ZeroAccess-FBA  is detection for the rootkit family that uses to hide itself. It is often installed through drive-by-download attacks from malicious web sites. The Trojan helps to download other malicious files. It has the capabilities to perform Denial of Service (DoS) or Distributed DoS (DDoS). It also connects the following port no 16471.

ZeroAccess-FBA  disables system firewall, proxy and windows security center services.

Upon execution it tries to connect the following URL:


  • j.ma[Removed]om
  • static.r[Removed]layer.com
  • dyn[Removed]et.com.tw
  • uhenov[Removed]gvtu.com
  • akamai[Removed]es.com
The below mentioned registry entries ensures that the rootkit registers with the compromised system and execute itself upon every reboot.

  • HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Google Update: ""%USERPROFILE%\Local Settings\Application Data\Google\Desktop\Install\{GUID}\???\???\???\{GUID}\GoogleUpdate.exe" >"
Upon execution it drops files into the following location:

  • %WINDIR%\Temp\IE8-WindowsXP-x86-ENU.exe
  • %WINDIR%\assembly\GAC\Desktop.ini
  • %WINDIR%\ie8_main.log
Upon execution it drops folders into the following location:

  • %USERPROFILE%\Local Settings\Application Data\Google\Desktop
  • %USERPROFILE%\Local Settings\Application Data\Google\Desktop\Install
  • %USERPROFILE%\Local Settings\Application Data\Google\Desktop\Install\{GUID}
  • %USERPROFILE%\Local Settings\Application Data\Google\Desktop\Install\{GUID}\???
  • %PROGRAMFILES%\Google
  • %PROGRAMFILES%\Google\Desktop
  • %PROGRAMFILES%\Google\Desktop\Install
  • %PROGRAMFILES%\Google\Desktop\Install\{GUID}
  • %PROGRAMFILES%\Google\Desktop\Install\{GUID}\  
  • %PROGRAMFILES%\Google\Desktop\Install\{GUID}\   \  
  • %PROGRAMFILES%\Google\Desktop\Install\{GUID}\   \   \???
  • %WINDIR%\assembly
  • %WINDIR%\assembly\GAC
  • %WINDIR%\assembly\GAC_MSIL
The following are the registry keys have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SQM
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?etadpug
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?etadpug
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\featurecontrol
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
The following are the registry keys values have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SQM\SqmOptInForIE8: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000\Capabilities: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\DeleteFlag: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Capabilities: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\DeleteFlag: 0x00000001
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe: 0x00001F40
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe: 0x00001F40
The following are the registry key Values  have been modified to the system:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start: 0x00000004

The following are the registry keys have been deleted from the system:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum
The above registry entries confirms that the rootkit tries to deletes the entries that are related to firewall and windows security, it also disables shared access service.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95