A forum for reverse engineering, OS internals and malware analysis 

ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #14251  by SecConnex
 Mon Jun 25, 2012 8:38 am
rkhunter wrote:Damn epic...

infected services.exe on x32 - 2 / 42 - Virus:Win32/Sirefef.R https://www.virustotal.com/file/4c1096f ... 340263629/
Quick question...

Anyone have a record of four infected files from ZA (XP test machine)?

-user32.dll (verified problem with ZA)
-services.exe (" once again verified)
-explorer.exe (unverified...?)
-volsnap.sys (unverified...?)


If that means volsnap.sys is really infected, then it would be nearly impossible for ComboFix to replace services.exe using Volume Shadow Copy?

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #14265  by EP_X0FF
 Mon Jun 25, 2012 2:07 pm
SecConnex wrote:Anyone have a record of four infected files from ZA (XP test machine)?

-user32.dll (verified problem with ZA)
-services.exe (" once again verified)
Please attach dropper that infects user32.dll (as it verified). How do you managed to infect services.exe on XP, when latest dropper has no such code (authors were unable to find a space inside XP services.exe for shellcode injection).
volsnap.sys (unverified...?)
This was a target of PRAGMA TDL3 modification.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #14267  by SecConnex
 Mon Jun 25, 2012 2:16 pm
Ha...funny how I misplace droppers. :oops:

This dropper is almost a month old, tbh.

Totally clean XP box...infected with ZA obtained on May 27.

No other malware was installed. I understand about the Pragma issue resulting from TDL3, but there's no way that happened.

However, I imagine if we gathered the droppers from near that date... I'll see if I can find them posted and gather a quick link-column.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #14272  by EP_X0FF
 Mon Jun 25, 2012 3:43 pm
SecConnex wrote:HERE: http://www.kernelmode.info/forum/viewto ... =20#p13448

Seeing the same import again as saw in first test of GMER: CreateProcessAsUserW in API-MS-Win-Core-ProcessThreads-L1-1-0.dll

Services.exe MD5 - 2B336AB6286D6C81FA02CBAB914E3C6C
Windows 7 x86 test.

The only payload it contain - n32 and n64.

https://www.virustotal.com/file/073b1f9 ... /analysis/
https://www.virustotal.com/file/0f6e12d ... /analysis/

It not infects services.exe (https://www.virustotal.com/file/d7bc4ed ... /analysis/ - file copied in real time with help of low level disk access) and not performs CreateProcessAsUser hooking - verified twice - after infection and after reboot with different tools. Additionally there is no sense in such hook. Investigate your case with debugger, gmer is sh*tload of bugs. In attach decrypted dropper, all extracted payload (except configs) and decrypted n32 (p2p.32.dll).
Attachments
pass: malware
(176.06 KiB) Downloaded 74 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #14306  by thisisu
 Tue Jun 26, 2012 6:41 pm
Looks like MSE is tagging the infected services.exe but still isn't able to cure it.
Code: Select all
2012-06-25 09:28 - 2012-06-25 09:28 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.FE5EF61116C70C30
2012-06-25 09:24 - 2012-06-25 09:24 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B78730FE88D98AC9
2012-06-25 09:21 - 2012-06-25 09:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F86C05175A0C4934
2012-06-25 09:18 - 2012-06-25 09:18 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ACAC1DFE013303CD
2012-06-24 19:14 - 2012-06-24 19:14 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.8C07C03A2F624688
2012-06-24 19:12 - 2012-06-24 19:12 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4347C6D8DABD5423
2012-06-25 09:33 - 2012-06-25 09:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.138C64E1626E5C19
Thread source: http://forums.majorgeeks.com/showthread.php?t=260886
Attachments
(39.98 KiB) Downloaded 32 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #14319  by Tigzy
 Wed Jun 27, 2012 12:03 pm
Is the service.exe protected?
I mean is it readable with high level APIs? (ReadProcessMemory or Read on disk)

EDIT: I can't load infected service.exe into Olly; Error message saying "unable to start name_of_file.exe"
EDIT2: Ok with IDA

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #14321  by rkhunter
 Wed Jun 27, 2012 1:21 pm
Tigzy wrote:Is the service.exe protected?
I mean is it readable with high level APIs? (ReadProcessMemory or Read on disk)
It without rootkit and not hide itself.
  • 1
  • 19
  • 20
  • 21
  • 22
  • 23
  • 56
 Return to “Malware”