EP_X0FF wrote:Maybe they are finally realized - it was a worst piece of shit? If speak seriously if you take a look on zeroaccess timeline - it's about time for another generation. So probably there will be something interesting in future.So, this world only for bootkits now :shock:
A forum for reverse engineering, OS internals and malware analysis
EP_X0FF wrote:So probably there will be something interesting in future.I hope so
This rootkit has been very fun to follow thus far.
The CLSID / user-mode backdoor only variant does some interesting stuff to certain anti-malware tools, like OTL and MGtools. I took some footage here
Attaching a log from MGtools that gets messed up due to this variant. Enjoy!
Attachments
(3.06 KiB) Downloaded 71 times
Have a PC with zeroaccess and the panda tool removed the services.
But the file
2012-05-13 00:42 . 2012-05-13 00:42 138496 ----a-w- c:\windows\system32\drivers\afd.sys.vir
Is detected but does not appear to exist (as an image only) Combofix logs in the list but does not find the file to delete it
This file also appears
2012-05-13 00:42 . 2012-05-13 00:42 138496 ----a-w- c:\windows\system32\drivers\afd.sys.org
Quads
But the file
2012-05-13 00:42 . 2012-05-13 00:42 138496 ----a-w- c:\windows\system32\drivers\afd.sys.vir
Is detected but does not appear to exist (as an image only) Combofix logs in the list but does not find the file to delete it
This file also appears
2012-05-13 00:42 . 2012-05-13 00:42 138496 ----a-w- c:\windows\system32\drivers\afd.sys.org
Quads
Hi Quads,
Can you link us to the topic in question? Or attach the logs here.
Can you link us to the topic in question? Or attach the logs here.
The user installed and ran many tools and more than one AV before asking for help, I have the user uninstall some before we started, Still have leftover folders
The logs so far are attached, 3 here 2 more to come
Quads
The logs so far are attached, 3 here 2 more to come
Quads
Attachments
(1.99 KiB) Downloaded 51 times
(958 Bytes) Downloaded 46 times
(37.06 KiB) Downloaded 45 times
The last 2 logs
Quads
Quads
Attachments
The last program run (with script)
(28.81 KiB) Downloaded 44 times
(28.81 KiB) Downloaded 44 times
(201.21 KiB) Downloaded 46 times
Is the user's internet broken? According to yorkyt, afd.sys is present (but do not know if it is legit copy). Do you need help or are you just pointing out the .vir and .org extensions to afd.sys?
Last I checked, yorkyt adds a .bad extension to the files (not .vir or .org)
Side note: Looks like the user installed Norton midway through procedure (according to ComboFix2.txt).
Last I checked, yorkyt adds a .bad extension to the files (not .vir or .org)
Side note: Looks like the user installed Norton midway through procedure (according to ComboFix2.txt).
The afd.sys.vir and afd.sys.vir was present before the use of yorkyt
First combofix log (combofix.txt) and MSE detections were run before asking for help online, as were TDSSkiller, spyhunter Hitmanpro and whatever else,
Order oldest to newest log at bottom
combofix.txt
MSE Detections.txt
aswMBR.txt
yorkyt.exe.log
combofix2.txt
The user has the internet.
I am just point it out at the moment
FSS.txt attached, afd.sys is legit
Quads
First combofix log (combofix.txt) and MSE detections were run before asking for help online, as were TDSSkiller, spyhunter Hitmanpro and whatever else,
Order oldest to newest log at bottom
combofix.txt
MSE Detections.txt
aswMBR.txt
yorkyt.exe.log
combofix2.txt
The user has the internet.
I am just point it out at the moment
FSS.txt attached, afd.sys is legit
Quads
Attachments
(2.17 KiB) Downloaded 44 times
Ring0 - the source of inspiration
EP_X0FF wrote:No More Rootkit in ZeroAccess?Thanks for sharing. Can anyone confirm if AV software are able to correct the hijacked InprocServer32 entry?
Last edited by thisisu on Fri May 18, 2012 9:41 pm, edited 1 time in total.