A forum for reverse engineering, OS internals and malware analysis 

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #9862  by EP_X0FF
 Wed Nov 23, 2011 3:47 pm
The FlashUtil.dll (3.TMP) is trying to load system dll Msimg32.dll (GDIEXT Client DLL) without giving full path to it.
LoadLibraryW("Msimg32.dll") called from "3.TMP" at address 0x10012AE3.
Loaded "MSIMG32.DLL" at address 0x76350000. Successfully hooked module.
According to LoadLibrary API documented behavior it firstly looks for dlls in current directory. So Adobe loads rootkit dll on execution instead of system file.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #9863  by Neurofunk
 Wed Nov 23, 2011 3:58 pm
Yea I forgot to note the InstallFlashPlayer.exe was just included in case it was needed it is not malicious though. This infection isn't very stealthy though on the two test machines that I have sectioned off from our normal network the ping.exe command it opens consumes over 100MB of system memory and was keeping the processor under a constant 50-60% load. Could instantly tell that something was wrong as it was slowing the infected machines down a lot. Looks like Kaspersky has a generic detection for the DLL now still only 1 vendor out of 43 :(

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #10135  by shaheen
 Sun Dec 04, 2011 8:41 pm
I have a question pls. On Windows 7 which dedicated antirootkit tool( non-signature based) can be used to detect zero access? Tried gmer, seems failed. RootRepeal doesn,t work on win 7.

Thnaks
  • 1
  • 16
  • 17
  • 18
  • 19
  • 20
  • 38
 Return to “Malware”