[Tigzy]

Someone to help me analyse the x64 services.exe patched?
I can't open it with both IDA Free and Olly. Or else someone got a link that helps to find how it's patched?

[EP_X0FF]

1) Binary compare with original.
2) Brains on.
3) Done.

[dumb110]

https://www.virustotal.com/file/aca3fc9 ... /analysis/
https://www.virustotal.com/file/6741ddb ... /analysis/
https://www.virustotal.com/file/10a840e ... /analysis/

3 more..attached! :)

[kmd]

1) Binary compare with original.
2) Brains on.
3) Done.

what bin compare u use?
need enlight besides.
this one not patches ScTcp stuff.

[EP_X0FF]

1) Binary compare with original.
2) Brains on.
3) Done.

what bin compare u use?
need enlight besides.
this one not patches ScTcp stuff.

I use several BinDiffs (all sucks in some points of view) as well as such magical tool like FC. What kind of enlights you need. Seriously, you can't handle such trivial thing like analysis of modified services.exe which is identical for all W7 versions? OK, enlights - it is old ZeroAccess version that overwrites .reloc section with lame and big shellcode and changes PE structure to make this former .reloc section be TLS. Also ASLR flag must be turned off from characteristics, of course otherwise this won't work. This method was modified to more optimised shellcode in future versions. If you still don't get it, here is screenshot.

[kmd]

What kind of enlights you need. Seriously, you can't handle such trivial thing like analysis of modified services.exe which is identical for all W7 versions?

i thought it was something new..
thxn anyway

detection based on .reloc contents?

[EP_X0FF]

Yes. On what else? What they modifed is the perfect marker. The method they used was worst so no suprise they don't use it anymore.

[EP_X0FF]

Thanks EP_X0FF.
My question was more "which tool do you use to disassemble x64 binary" :?

IDAPro, Hiew enough for everything.

[EP_X0FF]

But Hiew is not a disassembler ?

Who told you this? http://hiew.ru/#hiew

@EP_X0FF

IDA Pro is .... for pros, and kinda expensive
Hiew is not a freeware too...

And what? I use company version so I don't really care :D

Offtop moved here

[svinoth1610]

This malware also infects the services.exe in windows vista and windows 7 systems. You have to replace the infected services.exe with the clean services.exe from "c:\windows\winsxs" folder. Once it's replaced, reboot the system and after reboot you can delete the ZerAccess CLSID folders from "C:\windows\installer" and "C:\users\username\Appdata\Local" folders.
If you get any "file in use"error while deleting the ZeroAccess folder from %localappdata% then it is most probably running under explorer.exe process. In such case use the "cacls" command to deny the permission for '@' and 'n' infections, which is present inside the folder and reboot the system. After reboot use "cacls" again to give permission for the '@' and 'n' files and delete them. You can also edit permissions using the "security" tab in the properties window.

This malware removes the following windows services from the system. "Base filtering engine", "Security center", "Windows defender" and "Windows firewall".

It may also removes the "Background intelligent service" and "Windows update" services. These services should be manually added to the system.