[thisisu]

ZeroAccess CLSID variant
MD5: cfe9063076314bf1ce4a03a0e69a167d
https://www.virustotal.com/file/66e15bd ... /analysis/
Desktop.ini included

[EP_X0FF]

x86 XP SP3, I see mass injection in the trusted processes, also it downloaded bitcoin miner and injected into trusted process address space.

How to get this crap modify services.exe? :)

0x35670000 Ldr suspicious modification-->MSWSOCK.dll [ EPROCESS 0x81D94888 ] PID: 1192 [SDBN][VFN][FEP][FRS][FTDS], size: 20480 bytes
0x35670000 Ldr suspicious modification-->mswsock.dll [ EPROCESS 0x81D9EA78 ] PID: 1368 [SDBN][VFN][FEP][FRS][FTDS], size: 20480 bytes
0x35670000 Ldr suspicious modification-->mswsock.dll [ EPROCESS 0x81C2F560 ] PID: 1856 [SDBN][VFN][FEP][FRS][FTDS], size: 20480 bytes
0x00400000 Ldr suspicious modification-->svchost.exe [ EPROCESS 0x81C2F560 ] PID: 1856 [SDBN][SDFN][VFN][FEP][FRS][FTDS], size: 995328 bytes

where SDBN - Duplicate entry for such BaseDllName in PEB found, VFN - Vad entry name different than module name, FEP - File entry point mismatch with PEB data, FRS - File raw size mismatch with PEB data, FTDS - File time date stamp mismatch with PEB data, so basically ZeroAccess replaced system dll code in memory (mswsock.dll) with it own code and made corresponding modification to the PEB Ldr part.

Additionally MSS completely removed all sensitive components of this malware after full scan.

edit:

Just to mention. Tried latest release of Dr.Web CureIt on the following sample (DB from 04 June) - complete failure. Nothing detected - not on disk nor in memory.
CureIt 7 beta - same fail.

KVRT 2011 with full system disk scan + memory -> complete failure. Custom scan - same. Additionally it identified OllyDbg StrongOD plugin as Rootkit.Win32.Agent.biwb, cool story bro.
Hmm, one day old dropper identified correctly as ZAccess, but all actuall components are undetected.

[Gabethebabe]

I am having some fun with a user whose computer is infected by Zaccess. Combofix detects it, but enters an infinite reboot loop and fails to get rid of it. The symantec and eset dedicated tools find nothing. aswMBR,TDSSKiller find nothing.

I noted that TDSSKiller report an MD5 for vgapnp.sys of 7d92be0028ecdedec74617009084b5ef and when I later did an MD5 check with on offline tool (OTLPE disk, running systemlook) it reported 87B06E1F30B749A114F74622D013F8D4 for the same file. Both MD5s appear to be legit though.

https://www.virustotal.com/file/06c06ef ... /analysis/
https://www.virustotal.com/file/d0749ce ... /analysis/

So I think I'm going to try and find the infected driver by a dumb kaspersky boot disk scan, unless any of you has a better idea.

EDIT: funny/interesting detail: when I asked user to download combofix and save it under another name (svchost,exe), running this would result in svchost.exe being renamed back to combofix.exe. Dunno if this is a combofix functionality or a LOL FU from zaccess

[thisisu]

@Gabethebabe
Can you link us to topic?
________________

Here's another ZeroAccess CLSID variant.
MD5: fa9016e653011e13e32a188c1a663e97
https://www.virustotal.com/file/4902fce ... 338807038/

[Gabethebabe]

Sure
I already looked through recent topics on MG, but all ZA infections I found there are kind enough to allow CF to run :p

http://www.geekpolice.net/t28819-root-kitzero-access

You can see all my failboat experiments.

I ran the systemlook Md5 action to compare with TDSSKiller results.
The DDS log shows something that looks like a malicious service (2012-05-31 13:18:20 0 ----a-w- c:\windows\system32\sho5BF7.tmp). I haven´t tried to do anything about this file, because I'm like 99% it will respawn under another name after rebooting.

[B-boy/StyLe/]

@Gabethebabe

You can run a quick scan with MBAM. The latest defs can handle with this variant very well.
Also run a scan with HitmanPro and OTL custom scan including:

Code: Select all

HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s

Regards,
Georgi

[Gabethebabe]

Thanks Georgi

Running a Hitman Pro scan now on my own computer to see what logs it produces.
keepass.exe is considered suspicious and OTL.exe is identified as trojan.siggen4.2299 (lol).

[erikloman]

Thanks Georgi

Running a Hitman Pro scan now on my own computer to see what logs it produces.
keepass.exe is considered suspicious and OTL.exe is identified as trojan.siggen4.2299 (lol).

For being suspicious it means keepass.exe scores 21.0 points or more. Can you send me the log by PM? I will have a look at OTL.exe fp.

[Gabethebabe]

For being suspicious it means keepass.exe scores 21.0 points or more. Can you send me the log by PM? I will have a look at OTL.exe fp.

On its way. A second scan did not flag OTL.exe anymore btw.

[Gabethebabe]

malware case update

I ran MBAM with latest sigs - nothing
I ran hitmanpro - it found some irrelevant vundo stuff, ate some cookies and flagged SearchFilterHost.exe as suspicious, but that file resulted to be legit.

I can't run OTL on the infected system - it halts during the scan.

So all tools are breaking their teeth on this zaccess variant aorn