A forum for reverse engineering, OS internals and malware analysis 

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #11485  by StamilT
 Tue Feb 07, 2012 4:55 pm
https://www.virustotal.com/file/42ce752 ... 328632936/
Detection ratio: 26/42

https://www.virustotal.com/file/320f401 ... 328633907/
Detection ratio: 34/43

MD5: 53AA566C17D0EEEE6E03CD8ACEF5545E
https://www.virustotal.com/file/b90615f ... 328634598/
Detection ratio: 28/43

MD5: D3E713DD85BE03C2D8488CE5432F7EBB
https://www.virustotal.com/file/bde6d93 ... 328635809/
Detection ratio: 24/41
Attachments
pass: infected
(1.25 MiB) Downloaded 372 times
Last edited by EP_X0FF on Wed Feb 08, 2012 11:02 am, edited 1 time in total. Reason: the wonderful edit button located in the top right corner of post frame

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #11499  by EP_X0FF
 Wed Feb 08, 2012 11:07 am
rkhunter wrote:Fresh dropper

MD5: 50f2e009281e113c7d8291602b0bf183
2/43
What is the source of this dropper? Can you share?

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #11502  by dcmorton
 Wed Feb 08, 2012 11:42 am
rkhunter wrote: MD5: 50f2e009281e113c7d8291602b0bf183
This seems to be a newer variant on ZA; ran into one of these yesterday actually.

Haven't tied it on x86 yet, but on x64 its added a service that re-infects the Session Manager\Subsystems\Windows key on boot.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #11586  by B-boy/StyLe/
 Mon Feb 13, 2012 12:38 am
dcmorton wrote: This seems to be a newer variant on ZA; ran into one of these yesterday actually.
Haven't tied it on x86 yet, but on x64 its added a service that re-infects the Session Manager\Subsystems\Windows key on boot.
Yeah, this version has an extra layer of protection. Many NetSvcs are being inserted, and the junctions are recreated on every reboot.


Regards,
G.
  • 1
  • 21
  • 22
  • 23
  • 24
  • 25
  • 38
 Return to “Malware”