[Blaze]

Not everything with ZeroAccess string is ZeroAccess malware and not every ZeroAccess malware has ZeroAccess string inside.

True, but the certificate was back to normal after formatting the machine .... Thanks for your input, as always.

[360Tencent]

http://www.f-secure.com/weblog/archives/00002385.html

[Tigzy]

3. If everything fine it additional memory pages in Explorer.exe memory and maps another shellcode here, causing "n" to be loaded inside Explorer.exe. "n" includes "desktop.ini" component inside as raw data.

You mean "services.exe" instead, right?

[EP_X0FF]

3. If everything fine it additional memory pages in Explorer.exe memory and maps another shellcode here, causing "n" to be loaded inside Explorer.exe. "n" includes "desktop.ini" component inside as raw data.

You mean "services.exe" instead, right?

No I mean shellcode with LdrLoadDll AFAIR in the context of Explorer.exe

Take decrypted sirefef dropper and try yourself. Set breakpoints on NtAllocateVirtualMemory, NtWriteVirtualMemory.

[Quads]

Here is the 3rd services.exe MD5 I know of attached

Quads

[EP_X0FF]

Here is the 3rd services.exe MD5 I know of attached

Quads

The x86 version of services.exe, this means infection is cross-platform. Infection hash values for NativeAPI are the same.

[thisisu]

MD5: c6e73a75284507a41da8bef0db342400
https://www.virustotal.com/file/be00ef4 ... /analysis/

[EP_X0FF]

MD5: c6e73a75284507a41da8bef0db342400
https://www.virustotal.com/file/be00ef4 ... /analysis/

Unpacked container in attach. Notice few additional modules (e32, e64, w32, w64)

[EP_X0FF]

Services.exe infection code identified :)

[thisisu]

Services.exe infection code identified :)

Nice! Looking forward to your analysis :)