A forum for reverse engineering, OS internals and malware analysis 

ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #14024  by kmd
 Sat Jun 16, 2012 1:19 pm
EP_X0FF wrote:
DragonMaster Jay wrote:Looks like Sirefef is opening files from a device driver...
Current version has no devices drivers.
then writing MD5 strings in C...what gives? Changing device driver code?
No it don't. This is Universally Unique Identifier (UUID) generation for Sirefef folder name. It calcs MD5 for system volume creation time value and converts it in UUID format. It is obvious from code posted above.

how many time is required for full sirefef dropper+payload reconstruction? theoretically?

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #14026  by EP_X0FF
 Sat Jun 16, 2012 2:40 pm
kmd wrote:
EP_X0FF wrote:
DragonMaster Jay wrote:Looks like Sirefef is opening files from a device driver...
Current version has no devices drivers.
then writing MD5 strings in C...what gives? Changing device driver code?
No it don't. This is Universally Unique Identifier (UUID) generation for Sirefef folder name. It calcs MD5 for system volume creation time value and converts it in UUID format. It is obvious from code posted above.

how many time is required for full sirefef dropper+payload reconstruction? theoretically?
This is out of interest, for what reason? Want your P2P botnet? Dropper and payload shares some routines, couple of days maybe, with team it will take less time.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #14034  by thisisu
 Sat Jun 16, 2012 10:18 pm
DragonMaster Jay wrote:Random redirect client: c:\windows\iun6002.exe (could be part of BitCoin Miner)
Legit
un6002.exe with description SUF60Runtime is a process file from company Indigo Rose Corporation belonging to product Setup Factory 6.0 Runtime Module.
The file is not digitally signed.
http://www.runscanner.net/lib/iun6002.exe.html

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #14036  by Quads
 Sun Jun 17, 2012 12:59 am
Anyone seen a variant where System Restore has problems afterwards, plus no Internet connection and Windows is stuck in classic view (taskbar etc.).

Quads
  • 1
  • 13
  • 14
  • 15
  • 16
  • 17
  • 56
 Return to “Malware”