[nullptr]

Another ZeroAccess MD5: E6823F932C2B40D2025D78BB78D64458
+ decrypted (as far as Diablo2002 loader) + other bits.

[rkhunter]

Another ZeroAccess MD5: E6823F932C2B40D2025D78BB78D64458
+ decrypted (as far as Diablo2002 loader) + other bits.

Creates a folder %windir%\$NtUninstallKB494$, which actually sym link (i. e. contains $SYMBOLIC_LINK attribute).
But I noticed a new behavior, it creates key for start with image path - \systemroot\4151568013:1914276872.exe.
Main $DATA-stream in file 4151568013 is empty, but 2-nd stream stores it driver.

[djpnuemo]

another sample. noticed a new file, click.tlb.

[rough_spear]

Hi All,
One more sample of Max++/ZeroAccess rootkit. :lol:

File Name - ZAccess-27-08-2011.7z
Password - malware.

Regards,

rough_spear.

[Ladik]

Creates a folder %windir%\$NtUninstallKB494$, which actually sym link (i. e. contains $SYMBOLIC_LINK attribute).
But I noticed a new behavior, it creates key for start with image path - \systemroot\4151568013:1914276872.exe.
Main $DATA-stream in file 4151568013 is empty, but 2-nd stream stores it driver.

Just a note: The name of $NtUninstallKB494$ changes (depending on system volume date and time). The second stream of the above mentioned service contains an EXE. When a process tries to open that stream, it it killed and its EXE is deleted.

[rkhunter]

Creates a folder %windir%\$NtUninstallKB494$, which actually sym link (i. e. contains $SYMBOLIC_LINK attribute).
But I noticed a new behavior, it creates key for start with image path - \systemroot\4151568013:1914276872.exe.
Main $DATA-stream in file 4151568013 is empty, but 2-nd stream stores it driver.

Just a note: The name of $NtUninstallKB494$ changes (depending on system volume date and time). The second stream of the above mentioned service contains an EXE. When a process tries to open that stream, it it killed and its EXE is deleted.

I made ​​a mistake when wrote about driver, it's exe file and not the driver.

[EP_X0FF]

Fresh sample.

Payload of trojan downloader from Blackhole exploit kit (annunciatorssg.info/main.php?page=e4a6f1dda2879502)

I'm Luke Skywalker. I'm here to rescue you. Help me, Obi-Wan Kenobi; you're my only hope.

Trap process and trap registry key are still in place.

Downloader and rootkit dropper in attach.

[rough_spear]

Hi All,
Two more new samples.two file are identical with size and md5 signature but third file has different signature.
ZAccess "doggie" style. ;)


web links -
hxxp://xhotvids57.tk/new/dogsex_004.avi.exe
hxxp://xhotvids57.tk/new/dog-doing-girl.avi.exe
hxxp://xhotvids57.tk/new/animal-porn-movie.avi.exe


File name: animal-porn-movie.avi.exe and dog-doing-girl.avi.exe
File size: 215 KB
MD5 : 207da9df62e772e5c5c9b99ab68448ba
SHA1 : b3ac9f8df86ef2aad9f7dcb6a6b2f301de3bf6ff
SHA256: 0a26afbcfb8fafa3468bb7bf89a35b1d6527e123fb002e1d10f89ecd9af137b7
ssdeep: 6144:/FjKe8fKuPIMLqL9J7794tk57yUkHtWVQnaoCut77qfzr:tjh8fhIMLE74yyxQXe77Yzr

VT link - http://www.virustotal.com/file-scan/rep ... 1315577467

File name: dogsex_004.avi.exe
File size:202 KB
MD5 : 5701b7220c9b1d714c4ef4bd3cf1d632
SHA1 : ed964af09f6f56147caf15cf3b1d0fbaa5790eb7
SHA256: bcd75adedaaa9a461d83f482d9ddf6e1b517e94bab7c42264f44aa9ac85aa186
ssdeep: 3072:zvZfWnqrmPFrK0N+kwWr4UMk49B0l/MqoMQYczx29LWsr/OQ7lB4ODpE7EIuOys0:FfxmM
00mqKoH41VJlB4q0uOa88


VT link - http://www.virustotal.com/file-scan/rep ... 1315582726


Regards,


rough_spear.

[rough_spear]

Hi,
One more ZAccess dropper.I think ZAccess author is animal sxx lover. :lol:

File name - animal-porn-movie.avi.exe
File size - 231 KB

packed with UPX

MD5 : ca667d3308ac178a592e89dbd65a2203
SHA1 : b1a113482c6ee1692100e207c01d79720f1c90b4
SHA256: aca0b98b1612132b1c012a1dac3f84e1e935ed0e3e7534c23849f7bbca14e693
ssdeep: 6144:6gNSd1F+LElqDlODl9YnuodvmYH4+LJG4bL:6gSf+oYDcYuiL4uG

VT Link - http://www.virustotal.com/file-scan/rep ... 1316343126

Web link - hxxp://magicxhub103.tk/new/animal-porn-movie.avi.exe


Regards,


rough_spear. ;)

[Flopik]

New article on Max++ variant :
http://www.sectechno.com/2011/09/16/zer ... -variants/