ZeroAccess rootkit fun - not so much.

Thread Starter

SgtWookie

Joined Jul 17, 2007
22,230
This one's REALLY quite annoying.

A friend called me last week, saying they were having problems with their computer (again; I'd fixed it a couple of months ago when his registry exited stage left) and asked me if I could come over Saturday and have a look at it.

McAfee's writeup:
https://kc.mcafee.com/resources/sit...US/McAfee Labs Threat Advisory-ZeroAccess.pdf
You really should read the above, as this ZeroAccess not only kills most antivirus tools, it buries them by revoking access privileges.

I spent the better part of Saturday trying to get his system cleaned of this thing. Didn't know what it was at first; kept getting browser redirects when trying Google searches. I'd installed AVG Free 2012 previously, but it wasn't working. Unfortunately, his CD-ROM drive wasn't functional, so my toolkit of diagnostic CD's was worthless.

The Windows Installer was not active, and I couldn't start the task. Turned out when I tried running msiexec.exe that "Access is denied" - the rootkit had removed all access privileges after killing the process. Apparently, Microsoft Update had tried to install a replacement for a "tripwire" (think of it as a file used as "bait"), and when msiexec.exe tried to update the tripwire file (in this case it was mrxsmb.sys, as in the .pdf file - but it can be many other files). As soon as a process/program tries to access the tripwire files, the rootkit attaches an APC that causes the process/program to exit immediately - and revokes access.

This really gets annoying as tool after tool gets killed and access removed. I couldn't even install a number of tools I normally would use since msiexec wasn't started. Tried using GMER, but didn't know about the "tripwire", so GMER got killed along with the other tools.

It can't revoke privileges on flash drives/USB sticks nor CDs, so they are good things to have handy.

I took the computer home with me so I could swap out the CD-rom with a working one. Finally got rid of the rootkit using the latest ComboFix; and then it's been a time putting the machine back together.

Of course you have to reset privileges back to defaults, but this rootkit ALSO got rid of (deleted) secedit.exe, along with revoking privs; had to expand a new one but call it secedi.exe until the privs were restored.
 

Georacer

Joined Nov 25, 2009
5,182
It's been a VERY long time since I had a virus in my PC, to a point that I underestimate antivirus software. I guess it's like AIDS. Awareness and conscious use of your tool is everything.
 

strantor

Joined Oct 3, 2010
6,782
I guess it's like AIDS. Awareness and conscious use of your tool is everything.
Also like aids, it helps if you don't slum around on the wrong side of town. I used to get into all kinds of viruses back when I had a penchant for downloading bootleg software. Now I play with electronics and its a lot harder to get aids that way.
 

Wendy

Joined Mar 24, 2008
23,415
I may be wrong, but I believe ComboFix was developed by the folks at MajorGeeks.com. If I'm right it is best to get it from the source.
 

studiot

Joined Nov 9, 2007
4,998
The bleeping computer is the parent site for combofix.

It is indeed a good tool, so long as you have sufficient control of the pc to run it.

Sometimes safemode is best for this.

I have today the unenviable task of telling an owner that his pc has pickup up the Ramnit virus, for which there is no known cure.

The problem with this one is that it goes through your files adding a piece of code to each one, any of which can restart the virus. If you remove infected files and sufficient system files have been infected Windows becomes unworkable.

So the only cure is a complete format and reinstallation.

I found about four and a half thousand infected executable files in this installation.
 

ErnieM

Joined Apr 24, 2011
8,377
I've got the redirect virus 2 or 3 times from work, where I download nothing if it is not off a manufacturer's site (ie, Microchip tools), and stay way away from any out of the main stream websites. I assume IT has an effective AV installed (I forget which one), but they still get in somehow.

First time I found a link to using tdsskiller and several other apps to do the cleaning. It still works, though I update whenever I'm fixin' it again.
 
Top