[Tigzy]

Hello

I suspected something like this... :(

My detections of ZA are falling in too deep since few days (see Root.ZeroAccess) : http://www.sur-la-toile.com/RogueKiller/stats.php
So now can anyone explain what it does? random CLSID rewrite? What file name? random?

[Quads]

System with zeroaccess, found the installer folder path for it and deleted, could not find any folder in the Users path.

Found the 2 desktop.ini files, but they get recreated by the looks deleted them 3 times.

Zeoraccess is still showing in the memory even after restarts (ESET online scan, as the EZ variant) But strange noticed the MD5 for services.exe as 50BEA589F7D7958BDD2528A8F69D05CC which I can't find in databases.

Quads

[thisisu]

But strange noticed the MD5 for services.exe as 50BEA589F7D7958BDD2528A8F69D05CC which I can't find in databases.

Hi Quads

Interesting how I read your post and then minutes later read through one my colleague's threads here.
User is infected with ZA CLSID variant as well.

Code: Select all

Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[-] 2009-07-14 . 50BEA589F7D7958BDD2528A8F69D05CC . 329216 . . [6.1.7600.16385] .. c:\windows\system32\services.exe

The unsigned hash you are looking for is here: VT (0/42).

[Quads]

I have removed the ZA CLSID variant as well from say 1 -2 months ago with OTL with success, ran Combofix and cleaned up after.

This one acts different wants to stay, OTL' ed the files and registry moved the desktop.ini's 3 times, still there. And is still detected in the memory. as Sirefef.EZ

I even googled the MD5 hahaha

Quads

[Quads]

Found this thread also http://www.bleepingcomputer.com/forums/topic454791.html

Same problem, same services.exe MD5 appears.

Quads

[thisisu]

Same problem, same services.exe MD5 appears.

http://forums.majorgeeks.com/showthread ... rvices.exe
Another one to add to the collection :)

[Quads]

I can't see logs, because I am not a MajorGeeks member, But I have attached the combofix.txt for our one where I noticed the MD5 for services.exe

I also see Malwarebytes Forum has at least one thread.

Quads

[erikloman]

Very interesting.

Notice the addition of a TLS callback and that the .reloc section flags are changed:

ZeroAccess: http://pedump.me/50bea589f7d7958bdd2528a8f69d05cc/#pe
Microsoft: http://pedump.me/24acb7e5be595468e3b9aa488b9b4fcb/#pe

[B-boy/StyLe/]

I have removed the ZA CLSID variant as well from say 1 -2 months ago with OTL with success, ran Combofix and cleaned up after.

This one acts different wants to stay, OTL' ed the files and registry moved the desktop.ini's 3 times, still there. And is still detected in the memory. as Sirefef.EZ

I even googled the MD5 hahaha

Quads

Combofix was able to cure services.exe for me here:
http://www.kaldata.com/forums/topic/195 ... try2254934

Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

it seems that now ZA came hand to hand with Necurs/Bubnix?

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\KOLIO\9babae71-3127.exe
c:\users\KOLIO\AppData\Local\Temp\e730ebe5-3127.tmp
c:\users\KOLIO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\3RVX.lnk
c:\windows\system32\drivers\37341d879194f409.sys[
.
Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_a97a2a0d0fbc6696\AGP440.sys
Infected copy of c:\windows\system32\drivers\asyncmac.sys was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-rasbase-asyncmac_31bf3856ad364e35_6.1.7600.16385_none_242e2506962cd3e0\asyncmac.sys
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_x86_neutral_6381e09675524225\cdrom.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_37341d879194f409
-------\Service_37341d879194f409

And one really stubborn variant here:

c:\users\aMoPe\3cel21f1px.exe . . . . Failed to delete

--- Other Services/Drivers In Memory ---
.
*Deregistered* - c182e0791be3b743

(((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_C182E0791BE3B743
-------\Service_c182e0791be3b743

--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - C182E0791BE3B743
*Deregistered* - c182e0791be3b743

Also sometimes ZA is bundled with Sality as well:

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSINT32
-------\Legacy_NPF
-------\Service_1dd1295c
-------\Service_amsint32

Regards,
Georgi

[Quads]

Another services.exe MD% that does not match

[2009/04/10 23:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=8737764F4FD36D6808EE80578409C843 -- C:\Windows\System32\services.exe

Quads