[EP_X0FF]

So basically ZA tries to locate the above services, if it finds them, will grant full permissions over them and then stops and deletes them? :)

Yes.

Code: Select all

BOOL StopAndDeleteService(SC_HANDLE hService)
{
  int iRetryCount; 
  SERVICE_STATUS ServiceStatus; 

  iRetryCount = 4;
  do
  {
    if ( ControlService(hService, SERVICE_CONTROL_STOP, &ServiceStatus) )
      break;
    if ( GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING )
      break;
    Sleep(1000);
    --iRetryCount;
  }
  while ( iRetryCount );
  ChangeServiceConfigW(hService, SERVICE_WIN32_SHARE_PROCESS, SERVICE_DISABLED, 0, 0, 0, 0, 0, 0, 0, 0);
  DeleteService(hService);
  return CloseServiceHandle(hService);
}

[kmd]

strange i thought there will be AV blacklist but except mse none found
thoughts?

[EP_X0FF]

strange i thought there will be AV blacklist but except mse none found
thoughts?

Yes. If you look on what exactly it stops, terminates, deletes then you will find - they are targeting built-in Windows security components.

Windows Security Center
Base Filtering Engine
Windows Defender
MSE (as part of Win8)
Network Inspection Service
Shared Access Service

[rkhunter]

Previous ZAccess's version only removed wscsvc (windows security center) service.

[sUBs]

EP_X0FF, I can't read code like you do but do you see anywhere in it's code how's it's targeting/identifying ComboFix and preventing it from running? Seems to be based on a set of conditions.

[thisisu]

Previous ZAccess's version only removed wscsvc (windows security center) service.

It has actually deleted more than this. We've seen BFE, MPSSVC, and MPSDRV deleted many times since December 2011. See here.

@sUBs
Hi :)

[sUBs]

Previous ZAccess's version only removed wscsvc (windows security center) service.

@sUBs
Hi :)

Hi :)

[EP_X0FF]

EP_X0FF, I can't read code like you do but do you see anywhere in it's code how's it's targeting/identifying ComboFix and preventing it from running? Seems to be based on a set of conditions.

If such feature exists then it inside "n" dll. However I don't see any blacklists in this dll. Only dropper powered with this feature. And more to say - combofix successfully removed discussed sample while it was active. I think this is not Sirefef but other antimalware blocking your tool from operation. In this recent version of "n" component they added additional layer of obfuscation resulting in lowering detection ratio on VT. However both n32 and n64 are identical (almost) and seems compiled from one source and n64 still lacks any kind of obfuscation.

[sUBs]

And more to say - combofix successfully removed discussed sample while it was active.

Thank you for the reply. ComboFix only managed to run after I made recent changes. Previously, Sirefef only allowed to CF to unpack it's files only. Gets killed the moment it tries to run. I haven't figured out how it was doing that. So I added a workaround rather than a proper fix to getting CF to run.

[EP_X0FF]

Do you have old version that 100% get killed by this dropper? For test purposes.