A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13000  by thisisu
 Thu May 03, 2012 5:13 am
I would appreciate if others would take a deeper look into this one / add comments.

MD5: 2efe003b8969fa946f194333152f334c
https://www.virustotal.com/file/8be9b39 ... /analysis/

This has some ZeroAccess similarities, it could be something new as I have not seen this type of folder created before.

Here are the notes I've gathered so far:

%Windir% reparse point folder is missing but the following folder is created: C:\WINDOWS\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}
Inside this folder is:
Folder: L [empty]
Folder: U [inside is: 00000001.@, 800000cb.@, 80000000.@]
File: @ [2kb]
File: n [44kb]

This folder is created too but isn't as complete as previous one: %userprofile%\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}

No infected drivers or services.
Code: Select all
========== regfind ==========

Searching for "1982f959-ca43-079e-42d0-55eab62fdb19"
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
@="\\.\globalroot\systemroot\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_USERS\S-1-5-21-1644491937-1383384898-854245398-1003\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_USERS\S-1-5-21-1644491937-1383384898-854245398-1003_Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
Attachments
pass: infected
(148.05 KiB) Downloaded 521 times
 #13002  by EP_X0FF
 Thu May 03, 2012 6:38 am
This is user mode only backdoor variant, running through masqueraded CLSID, injecting payload "n" dll into Explorer memory. All others are win32 ZeroAccess component dlls.
 #13015  by thisisu
 Fri May 04, 2012 2:53 am
The following Registry Value was modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
(Default) =
Default should be: C:\WINDOWS\system32\wbem\wbemess.dll

This variant changes it to: \\.\globalroot\systemroot\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}\n.
 #13170  by EP_X0FF
 Sat May 12, 2012 8:05 am
Maybe they are finally realized - it was a worst piece of shit? If speak seriously if you take a look on zeroaccess timeline - it's about time for another generation. So probably there will be something interesting in future.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 56