[thisisu]

I would appreciate if others would take a deeper look into this one / add comments.

MD5: 2efe003b8969fa946f194333152f334c
https://www.virustotal.com/file/8be9b39 ... /analysis/

This has some ZeroAccess similarities, it could be something new as I have not seen this type of folder created before.

Here are the notes I've gathered so far:

%Windir% reparse point folder is missing but the following folder is created: C:\WINDOWS\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}
Inside this folder is:
Folder: L [empty]
Folder: U [inside is: 00000001.@, 800000cb.@, 80000000.@]
File: @ [2kb]
File: n [44kb]

This folder is created too but isn't as complete as previous one: %userprofile%\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}

No infected drivers or services.

Code: Select all

========== regfind ==========

Searching for "1982f959-ca43-079e-42d0-55eab62fdb19"
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
@="\\.\globalroot\systemroot\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_USERS\S-1-5-21-1644491937-1383384898-854245398-1003\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_USERS\S-1-5-21-1644491937-1383384898-854245398-1003_Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."

[EP_X0FF]

This is user mode only backdoor variant, running through masqueraded CLSID, injecting payload "n" dll into Explorer memory. All others are win32 ZeroAccess component dlls.

[thisisu]

Thanks EP_X0FF :)
Was this something you've seen before?

For those interested, ThreatExpert report: http://www.threatexpert.com/report.aspx ... 33152f334c

[EP_X0FF]

Yes, basically this is ZeroAccess with the cut-off rootkit part.

[thisisu]

The following Registry Value was modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
(Default) =

Default should be: C:\WINDOWS\system32\wbem\wbemess.dll

This variant changes it to: \\.\globalroot\systemroot\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}\n.

[thisisu]

Another sample of the above (backdoor only):

MD5: 32105ea0c50fce1288ffabac627347eb
https://www.virustotal.com/file/779b07d ... /analysis/
http://www.threatexpert.com/report.aspx ... ac627347eb

[hot_UNP]

Another sample...

md5:9F969277F87403CC8FB5E2FFB97A0301

this time Virustotal... File not found

[RomaNNN]

Another sample...

md5:9F969277F87403CC8FB5E2FFB97A0301

this time Virustotal... File not found

https://www.virustotal.com/file/74e2260 ... 336144334/

[rkhunter]

Any idea why ZeroAccess droppers now distributes without rootkit?

[EP_X0FF]

Maybe they are finally realized - it was a worst piece of shit? If speak seriously if you take a look on zeroaccess timeline - it's about time for another generation. So probably there will be something interesting in future.