A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15754  by thisisu
 Wed Sep 26, 2012 6:02 am
markusg wrote:https://www.virustotal.com/file/42cc19b ... 348571320/
This variant again :o
Code: Select all
00:57:44.0713 1980  C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - copied to quarantine
00:57:45.0133 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\@ - copied to quarantine
00:57:45.0133 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\Desktop.ini - copied to quarantine
00:57:45.0133 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\L\00000004.@ - copied to quarantine
00:57:45.0164 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\L\uruzevfc - copied to quarantine
00:57:45.0164 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\00000004.@ - copied to quarantine
00:57:45.0164 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\00000008.@ - copied to quarantine
00:57:45.0164 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\000000cb.@ - copied to quarantine
00:57:45.0164 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\80000000.@ - copied to quarantine
00:57:45.0164 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\80000032.@ - copied to quarantine
00:57:45.0604 1980  Backup copy found, using it..
00:57:45.0624 1980  C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured on reboot
00:57:45.0634 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\@ - will be deleted on reboot
00:57:45.0634 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\Desktop.ini - will be deleted on reboot
00:57:45.0634 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\00000004.@ - will be deleted on reboot
00:57:45.0634 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\00000008.@ - will be deleted on reboot
00:57:45.0634 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\000000cb.@ - will be deleted on reboot
00:57:45.0634 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\80000000.@ - will be deleted on reboot
00:57:45.0634 1980  C:\WINDOWS\$NtUninstallKB50933$\2002760106\U\80000032.@ - will be deleted on reboot
00:57:45.0634 1980  C:\WINDOWS\$NtUninstallKB50933$\946081224 - will be deleted on reboot
00:57:45.0634 1980  MRxSmb ( Virus.Win32.ZAccess.aml ) - User select action: Cure 
 #15756  by EP_X0FF
 Wed Sep 26, 2012 8:21 am
Just in case if everyone interested. This is not new version as someone can decide. This is old 2nd generation ZeroAccess file infector rootkit with small changes. Removed AntiAV part (trap process/reg key), some stability improvements has been made, it now works more stable (at least on my test machines when previous version crash from time to time). This version adds new lower device to DRx object and driver object of this device points to rootkit code (even this is not new, some previous Sirefefs did the same). This makes it less defensive than previous variants that hooks mini port driver major function. Driver loading trick with asterisk is the same. To detect it manually you don't need any third party tools - this can be easily done with Windbg and small brain.dll Additionally this rootkit can be detected by WinObj. Look in GLOBAL?? directory. Usually there should be only SymbolicLink objects. But ZeroAccess puts its own device in this directory.
Code: Select all
lkd> !object \GLOBAL??
Object: e1005600  Type: (81fed5d0) Directory
    ObjectHeader: e10055e8 (old version)
    HandleCount: 1  PointerCount: 131
    Directory Object: e1000298  Name: GLOBAL??

    Hash Address  Type          Name
    ---- -------  ----          ----
         81f18870 Device        0b765132
 #15779  by rkhunter
 Fri Sep 28, 2012 10:43 am
dumb110 wrote:anbody has this?? https://www.virustotal.com/file/6d32a06 ... 348810517/
SHA256: 6d32a06be42f9c9b09038279d5121c8f9edd3fc3d5c670f3691d20d92dcddbff
SHA1: 59eb5da32f0f977e49f9724d0a16d7224f028c9c
MD5: dc86b1d1abd08432db8b6903e38b4004
Attachments
pass:infected
(89.12 KiB) Downloaded 62 times
  • 1
  • 32
  • 33
  • 34
  • 35
  • 36
  • 38