ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.
Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by Quads » Tue Sep 03, 2013 7:47 am

OK Roguekiller finds the Install folder on a 32bit system located C:\Program Files\Google\Desktop\Install

But doesn't find the Install folder if located in C:\Program Files (x86)\Google\Desktop\Install

I created the C:\Program Files (x86)\Google\Desktop\Install path and folders on my system and Roguekiller does not find it

Roguekiller does find these 2 locations, I created these 2 paths and folders also

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Users\Quads\AppData\Local\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND


Quads

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by 0x16/7ton » Wed Sep 04, 2013 2:20 pm

Dropper from 01.09.2013 with mini-update
01_09_2013.rar
Sirefef attempts to stop and delete in addition two services: RemoteAccess,PolicyAgent
mini_update.png
You do not have the required permissions to view the files attached to this post.
Cause and effect

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by Win32:Virut » Sat Sep 07, 2013 3:52 pm

60 droppers

03.09.2013 - 07.09.2013
You do not have the required permissions to view the files attached to this post.

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by Cody Johnston » Mon Sep 09, 2013 2:49 am


rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by rough_spear » Sat Sep 14, 2013 7:44 am

Hi All,

one more sample of Sirefef.

MD5 - 456D4D94B65C44C8B42901F2D87538A6

VT link - https://www.virustotal.com/en/file/0853 ... /analysis/

Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by Win32:Virut » Sat Sep 14, 2013 10:19 am

48 droppers

08.09.2013 - 14.09.2013
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by Win32:Virut » Sat Sep 21, 2013 2:22 pm

41 droppers

14.09.2013 - 21.09.2013
You do not have the required permissions to view the files attached to this post.

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by r3shl4k1sh » Fri Oct 04, 2013 5:10 am

A paper by Symantec called ZeroAcess Indepth
It seems they went really depth in some areas...

User avatar
EP_X0FF
Global Moderator
Posts: 4775
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by EP_X0FF » Fri Oct 04, 2013 5:51 am

Blah-blah-blah with hyped marketing shit in the end, completely wrong timeline and major copy-paste work from Sophos articles. Not to mention they totally miss 2013 versions.
Ring0 - the source of inspiration

N3mes1s
Posts: 42
Joined: Wed Mar 09, 2011 5:17 pm

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by N3mes1s » Fri Oct 04, 2013 7:28 am


Post Reply