How to remove ZeroAccess (Sirefef)
We are the 04th of August 2013, new variant of ZeroAccess, called RTL variant (for Right to left, a trick used by this malware to avoid removal), is in the wild for some days (maybe weeks).
RogueKiller in build 8.6.5+ is able to remove that variant, in 2 steps.
- First removal: RUN key, Service key, service kill, and some files/folder deletion.
- Then a reboot is necessary to refresh computer’s memory
- Second removal: Deletion of remaining files/folders
Analysis
That variant is using a trick to insert unicode characters in registry value names. By doing that, the Win32 API is fooled and never finds a given name (for deletion for example). The RUN key hive dump shows that we have indeed some weird characters in the value name.
Hive dump of the RUN key – Notice the weird characters after the “Google Update” name
Here’s some Process Monitor logs, showing the calls used by the trojan to fool AV detection and API removal
ProcMon capture : ZeroAccess creating its files
ProcMon capture : ZeroAccess creating its RUN key
ProcMon capture : ZeroAccess creating its service key
Removal
Scan your computer with RogueKiller and remove registry keys and files. You will need to reboot once, then rescan and redelete to remove remaining files. Please look at the demo video.
[youtube id=”7vXcFRSu-mg” width=”100%” height=”400″ position=”left”]
Your reports should look like this (with your own language text):
First Removal
¤¤¤ Processus malicieux : 1 ¤¤¤
[ZeroAccess][SERVICE] ???etadpug -- "C:\Program Files (x86)\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\ \...\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" < [x] -> STOPPÉ
¤¤¤ Entrees de registre : 9 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\tigzy\AppData\Local\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\?��?��?��\?��?��?��\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" >) -> SUPPRIMÉ
[RUN][ZeroAccess] HKUS\S-1-5-21-2206154676-624830379-3717449681-1001\[...]\Run : Google Update ("C:\Users\tigzy\AppData\Local\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\?��?��?��\?��?��?��\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" >) -> [0xc0000034] Unknown error
[SERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\ \...\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" < [x]) -> SUPPRIMÉ
[SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\ \...\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" < [x]) -> [0x57] Paramètre incorrect.
[SERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\ \...\???ﯹ๛\{5277d95b-9f86-a171-e7f7-7295c86fb4e0}\GoogleUpdate.exe" < [x]) -> SUPPRIMÉ
[HID SVC][Masqué de l'API] HKLM\[...]\CCSet\[...]\Services : . e () -> [0x3] Le chemin d??�accès spécifié est introuvable.
[HID SVC][Masqué de l'API] HKLM\[...]\CS001\[...]\Services : . e () -> [0x3] Le chemin d??�accès spécifié est introuvable.
[HID SVC][Masqué de l'API] HKLM\[...]\CS002\[...]\Services : . e () -> [0x3] Le chemin d??�accès spécifié est introuvable.
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
[ZeroAccess][Repertoire] Install : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] Install : C:\Program Files\Google\Desktop\Install [-] --> SUPPRIMÉ AU REBOOT
[ZeroAccess][Fichier] @ : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\@ [-] --> SUPPRIMÉ
[ZeroAccess][Fichier] GoogleUpdate.exe : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\GoogleUpdate.exe [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] L : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\L [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] U : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] ﯹ๛ : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨\ﯹ๛ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] Ⱒ☠⍨ : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙\Ⱒ☠⍨ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] ❤≸⋙ : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\❤≸⋙ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Documents and Settings\tigzy\Local Settings\Application Data\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] L : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\L [-] --> SUPPRIMÉ
[ZeroAccess][Fichier] 00000001.@ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\00000001.@ [-] --> SUPPRIMÉ
[ZeroAccess][Fichier] 80000000.@ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\80000000.@ [-] --> SUPPRIMÉ
[ZeroAccess][Fichier] 800000cb.@ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\800000cb.@ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] U : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --> SUPPRIMÉ AU REBOOT
[ZeroAccess][Repertoire] : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ [-] --> SUPPRIMÉ AU REBOOT
[ZeroAccess][Repertoire] : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ [-] --> SUPPRIMÉ AU REBOOT
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --> SUPPRIMÉ AU REBOOT<
Second Removal (after reboot)
<blockquote><span style="font-size: small;">¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
[ZeroAccess][Repertoire] Install : C:\Program Files\Google\Desktop\Install [-] --> SUPPRIMÉ
[ZeroAccess][Fichier] @ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ \ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\@ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] U : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ \ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ \ﯹ๛\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] ﯹ๛ : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ \ﯹ๛ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ \ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\ [-] --> SUPPRIMÉ
[ZeroAccess][Repertoire] {848ec4ef-b4fb-6501-ab69-678738a3a5c6} : C:\Program Files\Google\Desktop\Install\{848ec4ef-b4fb-6501-ab69-678738a3a5c6} [-] --> SUPPRIMÉ
Old variants
06/26/2012 update:
ZeroAccess in its latest variant is no longer a rootkit.It only injects a Windows process (services.exe) with a dll stored in several locations.
Here’s a video demonstrating how to get rid of it:
[youtube id=”GW-z6F0LGeM” width=”100%” height=”400″ position=”left”]
Report should look like this:
¤¤¤ Entrees de registre: 2 ¤¤¤
<b>[ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\n.) -> REPLACED (c:\windows\system32\wbem\wbemess.dll)</b>
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
<b>[ZeroAccess][FILE] n : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\n --> REMOVED
[ZeroAccess][FILE] @ : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\@ --> REMOVED AT REBOOT
[Del.Parent][FILE] 00000001.@ : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\00000001.@ --> REMOVED
[Del.Parent][FILE] 80000000.@ : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\80000000.@ --> REMOVED
[Del.Parent][FILE] 800000cb.@ : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U\800000cb.@ --> REMOVED
[ZeroAccess][FOLDER] U : c:\windows\installer\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\U --> REMOVED
[ZeroAccess][FILE] n : c:\documents and settings\tigzy\local settings\application data\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\n --> REMOVED
[ZeroAccess][FILE] @ : c:\documents and settings\tigzy\local settings\application data\{848ec4ef-b4fb-6501-ab69-678738a3a5c6}\@ --> REMOVED</b>
Initial version:
This rootkit removes AVs protections, et installs itself inside the tcp/ip stack, which leads to web redirections. It kills and modify ACLs on every programms trying to scan its files. It’s composed of 3 parts:
- A dll (consrv.dll) for x64 systems
- A locked filesystem (C:/Windows/$NtUninstallKBxxxxx$) where it keeps its files,being sure they won’t be removed.
- A patched driver (x86), randomly chosen. This driver is legit at the origin.
[youtube id=”IAzvk3zf2PQ” width=”100%” height=”400″ position=”left”]
- Donwload and launch TDSSKiller. Be careful to choose “cure” and “delete” on every object.
- You should obtain the following report
19:35:47.0004 1156 ============================================================ 19:35:47.0309 1156 Initialize success 19:35:55.0922 1516 ============================================================ 19:35:55.0922 1516 Scan started 19:35:55.0922 1516 Mode: Manual; SigCheck; TDLFS; 19:35:55.0922 1516 ============================================================ 19:35:56.0019 1516 a04dba87 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\2277133728:1605518712.exe 19:35:56.0046 1516 Suspicious file (Hidden): C:\WINDOWS\2277133728:1605518712.exe. md5: 8f2bb1827cac01aee6a16e30a1260199 19:35:56.0046 1516 a04dba87 ( HiddenFile.Multi.Generic ) - warning 19:35:56.0046 1516 a04dba87 - detected HiddenFile.Multi.Generic (1) ...19:36:21.0921 1516 ============================================================ 19:36:21.0921 1516 Scan finished 19:36:21.0921 1516 ============================================================ 19:36:22.0020 1420 Detected object count: 3 19:36:22.0020 1420 Actual detected object count: 3 19:37:04.0646 1420 HKLM\SYSTEM\ControlSet001\services\a04dba87 - will be deleted on reboot 19:37:04.0656 1420 C:\WINDOWS\2277133728:1605518712.exe - will be deleted on reboot 19:37:04.0656 1420 a04dba87 ( HiddenFile.Multi.Generic ) - User select action: Delete 19:37:04.0656 1420 procguard ( UnsignedFile.Multi.Generic ) - skipped by user 19:37:04.0656 1420 procguard ( UnsignedFile.Multi.Generic ) - User select action: Skip 19:37:04.0712 1420 Backup copy found, using it.. 19:37:04.0740 1420 C:\WINDOWS\system32\DRIVERS\tmtdi.sys - will be cured on reboot 19:37:04.0740 1420 tmtdi ( Rootkit.Win32.ZAccess.g ) - User select action: Cure 19:37:07.0963 1084 Deinitialize success
- Then run Combofix. It could take a long time.
- You should obtain the following report
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
<b>c:\windows\$NtUninstallKB58677$
c:\windows\$NtUninstallKB58677$\2689448583\@
c:\windows\$NtUninstallKB58677$\2689448583\L\echiudpr
c:\windows\$NtUninstallKB58677$\2689448583\U\@00000001
c:\windows\$NtUninstallKB58677$\2689448583\U\@000000c0
c:\windows\$NtUninstallKB58677$\2689448583\U\@000000cb
c:\windows\$NtUninstallKB58677$\2689448583\U\@000000cf
c:\windows\$NtUninstallKB58677$\2689448583\U\@80000000
c:\windows\$NtUninstallKB58677$\2689448583\U\@800000c0
c:\windows\$NtUninstallKB58677$\2689448583\U\@800000cb
c:\windows\$NtUninstallKB58677$\2689448583\U\@800000cf
c:\windows\$NtUninstallKB58677$\339281305</b>
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
The post Remove ZeroAccess (Guide) appeared first on Adlice Software.
