Search found 56 matches

by ConanTheLibrarian
Tue Jan 03, 2012 6:17 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 323378

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

markusg wrote:@ConanTheLibrarian
sorry for late reply, but i see in germany at the last 3-5 days an growing of zero access infections.
It was short lived - a matter of about 3 days with less activity. Perhaps they took a Holiday vacation? :P
by ConanTheLibrarian
Fri Dec 30, 2011 8:45 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 323378

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Anyone noticing an ebbing of ZA infections? It seems slower and I wonder why.
by ConanTheLibrarian
Thu Dec 08, 2011 7:30 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 323378

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Play_Movie2287_Click_Run.exe - 0A.aml
Play_Movie3732_Click_Run.exe - 0A.h
Play_Movie4054_Click_Run.exe - 0A.aml
Play_Movie5227_Click_Run.exe - 0A.h
Play_Movie6260_Click_Run.exe - 0A.aml
Play_Movie7418_Click_Run.exe - 0A.h
Play_Movie8733_Click_Run.exe - 0A.aml


Thanks.
by ConanTheLibrarian
Thu Dec 08, 2011 6:52 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 323378

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

NarfBang wrote:Me thinks this be ZeroAccess. Low detection rate if it is.
Seems the PE inside is corrupt? It won't launch saying its not a valid Win32 app. I checked the size and it seems corrrect.
by ConanTheLibrarian
Wed Dec 07, 2011 2:52 pm
Forum: Tools/Software
Topic: Modify registry with drivers
Replies: 0
Views: 2722

Modify registry with drivers

Can anyone recommend a program that can be used to change registry values on bootup - before csrss starts? I need one that changes a registry key during kernel mode initialization. At the very least when the bootexecute value fires. Thanks!
by ConanTheLibrarian
Mon Dec 05, 2011 5:02 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 323378

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Can anyone recommend a program that can be used to change registry values on bootup - before Native NT apps start? I need one that changes a registry key during kernel mode initialization.
by ConanTheLibrarian
Wed Nov 23, 2011 3:42 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 323378

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

The installer is clean, but because of the exploit of using the dll in the current folder no matter what is hardcoded, the dll is loaded and infects the system.
by ConanTheLibrarian
Wed Nov 23, 2011 2:49 am
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 323378

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

The file is empty.
by ConanTheLibrarian
Fri Jul 22, 2011 6:32 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 323378

Re: Rootkit ZeroAccess (aka MAX++)

Although I applaud and even support your need to figure this out, I don't think this is the proper forum. Malware authors also can see this and will do their best to counteract any methods mentioned here. Giving them that edge will not help matters.