[pyrojoe]

Is there a way to make a valid path for CreateFile with \Device\svchost.exe \svchost.exe ?
Maybe I need to add the SymbolicLink

NtCreateFile/DefineDosDevice

If you're using\resuing a tool that calls the win32 CreateFile instead of writing new code, you can always use \\?\Globalroot\... to get to the root of the object mgr namespace. So you'd have "\\?\globalroot\device\svchost.exe" in this case.

[rkhunter]

Webroot wrote: ZeroAccess Gets Another Update.

Last week ZeroAccess received another update, and again it’s a major one. The rootkit shifted from a hidden encrypted file used as an NTFS filesystem volume to a more comfortable hidden directory created inside the Windows folder, where the rootkit still stores its configuration data and other malware in an encrypted form.

The folder where the rootkit will store its files is located at the path: C:\WINDOWS\$NtUninstallKBxxxxx$, where the Xs represent a unique number generated from characteristics of the infected system.

http://blog.webroot.com/2011/07/19/zero ... er-update/

[Hawkes]

Hello everyone. I find this topic particularly interesting since I have an infected machine that I've been working on. I was hopeful over the past several days that by educating myself about ZA, that I would have a better understanding of how to tackle this and get control. It sounds like once someone is infected with this, there is little hope of removing it. I've been working with virus removal and recovery for a while now and I don't consider myself to be a beginner, but this is sending me back to kindergarten. I also understand that the primary purpose of this particualr thread is not necessarily related to the removal of ZA, but rather reverse engineering it and analysis.

Since I have an infected machine I am willing to share any details at all regarding what I know that may help further the cause. Most people I know in the industry would have just wiped the hard drive clean at this point in the hopes that it would go away, however, I personally prefer to learn as much as I can about it in order to help me the next time. Since the winsock catalog and TCP/IP stack are corrupt, I am unable to run most utilities via the desktop. I have just burned a new SARDU dvd and will now begin working with it that way. Any additional insight or advice would be greatly appreciated, otherwise, I wish you all luck in your continued research and I very much appreciate it.

Regards,

Hawkes

[Flopik]

Hello everyone. I find this topic particularly interesting since I have an infected machine that I've been working on. I was hopeful over the past several days that by educating myself about ZA, that I would have a better understanding of how to tackle this and get control. It sounds like once someone is infected with this, there is little hope of removing it. I've been working with virus removal and recovery for a while now and I don't consider myself to be a beginner, but this is sending me back to kindergarten. I also understand that the primary purpose of this particualr thread is not necessarily related to the removal of ZA, but rather reverse engineering it and analysis.

Since I have an infected machine I am willing to share any details at all regarding what I know that may help further the cause. Most people I know in the industry would have just wiped the hard drive clean at this point in the hopes that it would go away, however, I personally prefer to learn as much as I can about it in order to help me the next time. Since the winsock catalog and TCP/IP stack are corrupt, I am unable to run most utilities via the desktop. I have just burned a new SARDU dvd and will now begin working with it that way. Any additional insight or advice would be greatly appreciated, otherwise, I wish you all luck in your continued research and I very much appreciate it.

Regards,

Hawkes

From the Prevx paper:

Then the rootkit creates a new service registry key under HKLM\SYSTEM\CurrentControlSet\Services\ with the value .<name of the driver that will be infected> (e.g. .NdProxy). Inside this
registry key, the ImagePath value is set to \*

If you remove the service or disable it , it should at least stop it from restart. You can test the desinsfection using ProcessExplorer/Gmer, if you still saw thoses process killed, the malware is running. I seen it put the Service registry key under an ACCESS denied protection but they are not hidden(maybe rootkitrevealer can detect those). This will clearly indicate which service ZeroAccess is using.

[Cody Johnston]

The way that I was able to find the service is by running GMER. It may or may not find the service as rootkit modification but if it does, do not run the full scan and look in the services tab, It should be right there at the top looks like 12345678 and the description will be Microsoft-Compliant ACPI Virtual Bus. Delete the service from within GMER and then the key in the registry usually located in HKLM\System\ControlSet002\12345678. You have to give yourself permissions to the key then delete it and reboot and you will be able to run scanners again. ;)

[PX5]

It is not an unrecoverable infection, it can be cured but it is a real PITA

Consider in my case, driver cdrom was jacked, so using tdsskiller provided some immediate relief of that problem but I still replaced the affected driver and nuked ZAs loaded module corrupt.

I then had other goodies to rid myself of, depending on variant of ZA.

C:\Windows\Assembly\GAC_MSI\Desktop.ini must be deleted, I used gmer since file isnt visible from user mode.

I had to play with ZA module, dump and locate the exact name of the .nls file to remove it.

Thanks to tammy at GFI, I was able to find out, using AgentRansack and its string search, searching entire disc for c_12345.nls, I located 4 or 5 legit service which ZA had patched, disabling and removing or repairing all affected services rendered the reinfection process null.

I had to replace the windows update exeutable as it was also patched via ZA but after all this, the infection seems cured to me.

As said, not uncurable but a real PITA

[Hawkes]

Hey gang. I am thinking I have the newer version that rkhunter mentions a few posts back and links to a webroot blog post. Let me show you a copy of a portion of the latest ComboFix log with the catchme information...

**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-21 11:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,RunDLLEntry???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB6522$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************

I wasn't too concerned about the DLCJtime.dll piece since I found a Dell troubleshooting article referring to issues with the Dell AIO printers. The piece that gives me the impression that this is the newer version that rkhunter linked is the hidden files at c:\windows\$NtUninstallKB6522$. Using normal file/folder options to unhide OS files etc. this still does not show up for me whcih I expected and wouldn't lead me to the proper file store anyway.

Now in regards to the suggestions that have been presented... Flopik referenced the PREVX paper that provided a registry key to look at and unfortunately, I did not see any keys there to fit the description provided unless it's a .NET reference in which case, none of those entries has an image path pointing to \*. Also, as I remember reading further into the article, once the driver runs for the first time, the registry key pointing to the .<driver> isn't needed and is deleted. Since this has run several times I'm sure, I'm well past finding that key anyway. Noting else I've done, including running GMER by itself, has led me to anything that I can see that might point me in the right direction. Since ComboFix runs several utilities in the background, I wonder which one is detecting ZA and it's tcpip corruption. I'm open again for more thoughts and suggestions.

UPDATE: I'm now able to connect via the internet and update software. There were some remnants of a Mcafee installation and the firewall showed to be running in the combofix log. I ran MCPR.exe and that opened up the network connections.

[Hawkes]

I wanted to share the results of the catchme.log file I ran this morning. It shows the hidden folder and its' contents.

C:\WINDOWS\$NtUninstallKB6522$:SummaryInformation 0 bytes hidden from API
C:\WINDOWS\$NtUninstallKB6522$\1136854841 0 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605
C:\WINDOWS\$NtUninstallKB6522$\1923650605\click.tlb 2144 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\L
C:\WINDOWS\$NtUninstallKB6522$\1923650605\L\hvmonmrs 162816 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\loader.tlb 2540 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\U
C:\WINDOWS\$NtUninstallKB6522$\1923650605\U\@00000001 54368 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\U\@000000c0 2560 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\U\@000000cb 2048 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\U\@000000cf 1536 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\U\@80000000 24576 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\U\@800000c0 33280 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\U\@800000cb 27648 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\U\@800000cf 27648 bytes
C:\WINDOWS\$NtUninstallKB6522$\1923650605\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} 2048 bytes

Based on this, I wanted to ask suggestions on moving forward. I don't want to tie my own hands on this by not doing this correctly.

Thanks.

[ConanTheLibrarian]

Although I applaud and even support your need to figure this out, I don't think this is the proper forum. Malware authors also can see this and will do their best to counteract any methods mentioned here. Giving them that edge will not help matters.

[Hawkes]

Conan I understand completely.

Thanks everyone for your suggestions. Should anyone have any other thoughts, please feel free to PM me. Sorry to have taken up your thread.