Back with a BANG!
Monday, 6. August 2012 23:06 | Author:admin
Okay…2 years since a meaningful post. Not going to cut it and I’m sorry to anyone who may be looking for updates here. But as the title says I am back with a bang here as this one is pretty nasty.
We’re going to take a look at the latest ZeroAccess/Sirefef which has been seen in the wild as of late.
Virus Total Results for dropper
By the time I tested this it had been out for some time so most of the scanners are picking it up. One noteable miss is Symantec which is interesting.
This new variant behaves and infects systems quite differently from the past. I had reviewed Max++/ZeroAccess over 2 years ago here and this is really nothing like that.
While the methods have changed it still has the same basic intentions. Redirect google searches to ad sites. Also considering the rootkit and backdoor capabilities here, it’s quite likely that this will capture any personal information such as passwords, account numbers, and other sensitive data. If you find yourself infected with this it is very wise to call your banks and credit card companies.
—-
Testing here was done with a Windows 7 (32 bit) virtual machine. This infection will also run on 64 bit machines. So here is what happens when the dropper gets executed.
First off, there are hundreds of registry changes made to disable the Windows Firewall, Upates, Security Center, Windows Defender, ect…
Next, after deleting itself it drops several files and patches the Windows services.exe file.
C:\Windows\System32\services.exe patched
Virus Total Result
C:\Users\David\AppData\Local\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\@
Virus Total Result
C:\Users\David\AppData\Local\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\n
Virus Total Result
C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\@
Virus Total Result
C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\n
Virus Total Result
C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\U\00000001.@
Virus Total Result
C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\U\80000000.@
Virus Total Result
C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\U\800000cb.@
Virus Total Result
It also phones home to a couple of pretty shady looking ip addresses:
208.91.207.10 promos.fling.com which is located in California.
213.108.252.185 bigfatcounters.com and others located in Russia.
—-
Removal
Like always here, I will give my standard warning and disclaimer that this information should not be used for removal instructions and is only intended as part of the analysis and testing for informational purposes. Because each infection can differ and the fact that this one allows the remote attackers to install and run pretty much anything they want, infections will vary from system to system and each case should be treated on an individual basis by an expert.
There is a BIG CAUTION on the removal here. DO NOT delete the patched services.exe file as upon reboot you will be presented with the Blue Screen of Death.
All of the files located in the {053988b8-e6f7-c759-7b46-4eaa8e2bc4dc} folder can be deleted. The files in appdata will delete without issues, but the ones in the installer folder will not as they are in use. So on those they would need to be deleted on reboot with a tool or using an Antivirus scanner such as Kaspersky AVP.
You will need to replace the services.exe file with a clean version. To do that run the command prompt as administrator. Then type:
sfc /scanfile=c:\windows\system32\services.exe
Then reboot.
Run a full scan with your antivirus program to clean up any leftovers. If your Firewall will still not run then there will be more system damage that will need to be repaired which goes beyond the scope here.
Want an easier way? Well you have it! Download and run HitMan Pro (no, I’m not affiliated with them, it just works). It will clean this up nicely.
It’s good to be back posting here and I am already working on more new material to cover here.
Category:Uncategorized | Comment (0)



