A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13172  by rkhunter
 Sat May 12, 2012 8:15 am
EP_X0FF wrote:Maybe they are finally realized - it was a worst piece of shit? If speak seriously if you take a look on zeroaccess timeline - it's about time for another generation. So probably there will be something interesting in future.
So, this world only for bootkits now :shock:
 #13179  by thisisu
 Sat May 12, 2012 5:27 pm
EP_X0FF wrote:So probably there will be something interesting in future.
I hope so :P
This rootkit has been very fun to follow thus far.

The CLSID / user-mode backdoor only variant does some interesting stuff to certain anti-malware tools, like OTL and MGtools. I took some footage here

Attaching a log from MGtools that gets messed up due to this variant. Enjoy!
Attachments
(3.06 KiB) Downloaded 72 times
 #13229  by Quads
 Tue May 15, 2012 8:25 pm
Have a PC with zeroaccess and the panda tool removed the services.

But the file

2012-05-13 00:42 . 2012-05-13 00:42 138496 ----a-w- c:\windows\system32\drivers\afd.sys.vir

Is detected but does not appear to exist (as an image only) Combofix logs in the list but does not find the file to delete it

This file also appears

2012-05-13 00:42 . 2012-05-13 00:42 138496 ----a-w- c:\windows\system32\drivers\afd.sys.org

Quads
 #13231  by Quads
 Tue May 15, 2012 11:00 pm
The user installed and ran many tools and more than one AV before asking for help, I have the user uninstall some before we started, Still have leftover folders

The logs so far are attached, 3 here 2 more to come

Quads
Attachments
(1.99 KiB) Downloaded 51 times
(958 Bytes) Downloaded 46 times
(37.06 KiB) Downloaded 45 times
 #13233  by thisisu
 Tue May 15, 2012 11:19 pm
Is the user's internet broken? According to yorkyt, afd.sys is present (but do not know if it is legit copy). Do you need help or are you just pointing out the .vir and .org extensions to afd.sys?

Last I checked, yorkyt adds a .bad extension to the files (not .vir or .org)

Side note: Looks like the user installed Norton midway through procedure (according to ComboFix2.txt).
 #13234  by Quads
 Tue May 15, 2012 11:32 pm
The afd.sys.vir and afd.sys.vir was present before the use of yorkyt

First combofix log (combofix.txt) and MSE detections were run before asking for help online, as were TDSSkiller, spyhunter Hitmanpro and whatever else,

Order oldest to newest log at bottom

combofix.txt
MSE Detections.txt
aswMBR.txt
yorkyt.exe.log
combofix2.txt

The user has the internet.

I am just point it out at the moment

FSS.txt attached, afd.sys is legit

Quads
Attachments
(2.17 KiB) Downloaded 44 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 56