UPDATE: We are the 04th of August 2013, new variant of ZeroAccess, called RTL variant (for Right to left, a trick used by this malware to avoid removal), is in the wild for some days (maybe weeks).
RogueKiller in build 8.6.5+ is able to remove that variant, in 2 steps.
- First removal: RUN key, Service key, service kill, and some files/folder deletion.
- Then a reboot is necessary to refresh computer’s memory
- Second removal: Deletion of remaining files/folders
Analysis
That variant is using a trick to insert unicode characters in registry value names. By doing that, the Win32 API is fooled and never finds a given name (for deletion for example). The RUN key hive dump shows that we have indeed some weird characters in the value name.
Here’s some Process Monitor logs, showing the calls used by the trojan to fool AV detection and API removal
Removal
Scan your computer with RogueKiller and remove registry keys and files. You will need to reboot once, then rescan and redelete to remove remaining files. Please look at the demo video.
Your reports should look like this (with your own language text):
First Removal
¤¤¤ Processus malicieux : 1 ¤¤¤
[ZeroAccess][SERVICE] ???etadpug -- "C:\Program Files (x86)\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\ \...\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" < [x] -> STOPPÉ
¤¤¤ Entrees de registre : 9 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\tigzy\AppData\Local\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\?��?��?��\?��?��?��\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" >) -> SUPPRIMÉ
[RUN][ZeroAccess] HKUS\S-1-5-21-2206154676-624830379-3717449681-1001\[...]\Run : Google Update ("C:\Users\tigzy\AppData\Local\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\?��?��?��\?��?��?��\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" >) -> [0xc0000034] Unknown error
[SERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\ \...\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" < [x]) -> SUPPRIMÉ
[SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\ \...\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" < [x]) -> [0x57] Paramètre incorrect.
[SERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\ \...\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" < [x]) -> SUPPRIMÉ
[HID SVC][Masqué de l'API] HKLM\[...]\CCSet\[...]\Services : . e () -> [0x3] Le chemin d??�accès spécifié est introuvable.
[HID SVC][Masqué de l'API] HKLM\[...]\CS001\[...]\Services : . e () -> [0x3] Le chemin d??�accès spécifié est introuvable.
[HID SVC][Masqué de l'API] HKLM\[...]\CS002\[...]\Services : . e () -> [0x3] Le chemin d??�accès spécifié est introuvable.
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
[ZeroAccess][Repertoire] Install : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] Install : C:\Program Files\Google\Desktop\Install [-] --> SUPPRIMÉ AU REBOOT
[ZeroAccess][Fichier] @ : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\@ [-] --> SUPPRIMÉ
[ZeroAccess][Fichier] GoogleUpdate.exe : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\GoogleUpdate.exe [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] L : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\L [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] U : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] ﯹ๛ : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨\ﯹ๛ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] Ⱒ☠⍨ : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] ❤≸⋙ : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] L : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\L [-] --> SUPPRIMÉ
[ZeroAccess][Fichier] 00000001.@ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\00000001.@ [-] --> SUPPRIMÉ
[ZeroAccess][Fichier] 80000000.@ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\80000000.@ [-] --> SUPPRIMÉ
[ZeroAccess][Fichier] 800000cb.@ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\800000cb.@ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] U : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --> SUPPRIMÉ AU REBOOT
[ZeroAccess][Repertoire] : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ [-] --> SUPPRIMÉ AU REBOOT
[ZeroAccess][Repertoire] : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ [-] --> SUPPRIMÉ AU REBOOT
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --&gt; SUPPRIMÉ AU REBOOT<
Second Removal (after reboot)
<blockquote><span style="font-size: small;">¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
[ZeroAccess][Repertoire] Install : C:\Program Files\Google\Desktop\Install [-] --&gt; SUPPRIMÉ
[ZeroAccess][Fichier] @ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ \ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\@ [-] --&gt; SUPPRIMÉ
[ZeroAccess][Repertoire] U : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ \ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U [-] --&gt; SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ \ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --&gt; SUPPRIMÉ
[ZeroAccess][Repertoire] ﯹ๛ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ \ﯹ๛ [-] --&gt; SUPPRIMÉ
[ZeroAccess][Repertoire] : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ [-] --&gt; SUPPRIMÉ
[ZeroAccess][Repertoire] : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ [-] --&gt; SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --&gt; SUPPRIMÉ
Old variants
06/26/2012 update:
ZeroAccess in its latest variant is no longer a rootkit.It only injects a Windows process (services.exe) with a dll stored in several locations.
Here’s a video demonstrating how to get rid of it:
Report should look like this:
¤¤¤ Entrees de registre: 2 ¤¤¤
<b>[ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\n.) -&gt; REPLACED (c:\windows\system32\wbem\wbemess.dll)</b>
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -&gt; REPLACED (0)
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
<b>[ZeroAccess][FILE] n : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\n --&gt; REMOVED
[ZeroAccess][FILE] @ : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\@ --&gt; REMOVED AT REBOOT
[Del.Parent][FILE] 00000001.@ : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\00000001.@ --&gt; REMOVED
[Del.Parent][FILE] 80000000.@ : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\80000000.@ --&gt; REMOVED
[Del.Parent][FILE] 800000cb.@ : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\800000cb.@ --&gt; REMOVED
[ZeroAccess][FOLDER] U : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U --&gt; REMOVED
[ZeroAccess][FILE] n : c:\documents and settings\tigzy\local settings\application data\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\n --&gt; REMOVED
[ZeroAccess][FILE] @ : c:\documents and settings\tigzy\local settings\application data\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\@ --&gt; REMOVED</b>
Initial version:
This rootkit removes AVs protections, et installs itself inside the tcp/ip stack, which leads to web redirections. It kills and modify ACLs on every programms trying to scan its files. It’s composed of 3 parts:
- A dll (consrv.dll) for x64 systems
- A locked filesystem (C:/Windows/$NtUninstallKBxxxxx$) where it keeps its files,being sure they won’t be removed.
- A patched driver (x86), randomly chosen. This driver is legit at the origin.
- Donwload and launch TDSSKiller. Be careful to choose “cure” and “delete” on every object.
- You should obtain the following report
19:35:47.0004 1156 ============================================================
19:35:47.0309 1156 Initialize success
19:35:55.0922 1516 ============================================================
19:35:55.0922 1516 Scan started
19:35:55.0922 1516 Mode: Manual; SigCheck; TDLFS;
19:35:55.0922 1516 ============================================================
19:35:56.0019 1516 a04dba87 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\2277133728:1605518712.exe
19:35:56.0046 1516 Suspicious file (Hidden): C:\WINDOWS\2277133728:1605518712.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
19:35:56.0046 1516 a04dba87 ( HiddenFile.Multi.Generic ) - warning
19:35:56.0046 1516 a04dba87 - detected HiddenFile.Multi.Generic (1)
...19:36:21.0921 1516 ============================================================
19:36:21.0921 1516 Scan finished
19:36:21.0921 1516 ============================================================
19:36:22.0020 1420 Detected object count: 3
19:36:22.0020 1420 Actual detected object count: 3
19:37:04.0646 1420 HKLM\SYSTEM\ControlSet001\services\a04dba87 - will be deleted on reboot
19:37:04.0656 1420 C:\WINDOWS\2277133728:1605518712.exe - will be deleted on reboot
19:37:04.0656 1420 a04dba87 ( HiddenFile.Multi.Generic ) - User select action: Delete
19:37:04.0656 1420 procguard ( UnsignedFile.Multi.Generic ) - skipped by user
19:37:04.0656 1420 procguard ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:37:04.0712 1420 Backup copy found, using it..
19:37:04.0740 1420 C:\WINDOWS\system32\DRIVERS\tmtdi.sys - will be cured on reboot
19:37:04.0740 1420 tmtdi ( Rootkit.Win32.ZAccess.g ) - User select action: Cure
19:37:07.0963 1084 Deinitialize success
- Then run Combofix. It could take a long time.
- You should obtain the following report
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
<b>c:\windows\$NtUninstallKB58677$
c:\windows\$NtUninstallKB58677$\2689448583\@
c:\windows\$NtUninstallKB58677$\2689448583\L\echiudpr
c:\windows\$NtUninstallKB58677$\2689448583\U\@00000001
c:\windows\$NtUninstallKB58677$\2689448583\U\@000000c0
c:\windows\$NtUninstallKB58677$\2689448583\U\@000000cb
c:\windows\$NtUninstallKB58677$\2689448583\U\@000000cf
c:\windows\$NtUninstallKB58677$\2689448583\U\@80000000
c:\windows\$NtUninstallKB58677$\2689448583\U\@800000c0
c:\windows\$NtUninstallKB58677$\2689448583\U\@800000cb
c:\windows\$NtUninstallKB58677$\2689448583\U\@800000cf
c:\windows\$NtUninstallKB58677$\339281305</b>
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}