How to determine if the infection is by the Zeroaccess/sirefef rootkit.
1: The continuous resetting of ACLs for any most regularly used malware scanners.
2: The Presence of this process in the infected computer which runs off this autostart service.
- Once the computer is known to be infected by zeroaccess assume that it has been compromised, and more infections are present as the Trojan opens a backdoor on the infected machine. The most common FAKE AVs found so far on computers infected with zeroaccess are open cloud and guard AVguard, Wolfram etc.
Here are the activation code for most of the associated FAKEAVs which might make disinfection
Less distracting
Code for AV Guard online, guard online, cloud protection(NEW), try any of these:
9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197
1835437232
1837663686
1961232582
Open Cloud antivirus Code:
DB038748-B4659586-4A1071AF-32E768CD-36005B1B-F4520642-3000BF2A-04FC910B
-The presence of a FAKE AV can complicate removal, as none of the approved removal tools except combofix can defy the ACL modifications of the rootkit and therefore be protected from any regular scanners.
-Removal of zeroaccess then has to be quick and dirty, and of necessity involve a broad spectrum of scanners.
The ideal method of remediation would be as follows.
*Unless specified otherwise run all of these tools simultaneously.*
Start the computer in safe mode with networking and remove the FAKEAV autostarts manually and if possible infected files manually. We need to do this so that we can concentrate completely on removing the main infection. RESTART THE COMPUTER IN NORMAL MODE, **very important**
FYI
Using GMER to determine the infected files is possible however requires a practiced hand and can often lead to errorneous conclusions, but it is still useful to identify the driver that zaccess infects, unless the options circled in red are unchecked however the malware soon shuts down GMER and disables it.
As of now the only unpatched tool which is able to defend itself against the sort of techniques zeroaccess employs is TDSS Killer. However do not use TDSS Killer to try and cure the zaccess infected driver. Use it to target the service which runs as the numbered process, and to identify the infected driver.
Hitman pro can resist the ACL modification only once and does not survive a reboot, therefore it has to be run simultaneously. Running hitman pro gives us the chance to identify and remove autostarts and other infections which might possibly prove dangerous, it also gives us the option to try and replace the infected driver, use this but make sure that it is not set to delete the infected file.
The infected driver now needs to be replaced we can use these tools by McAfee or ESET who have made standalone removal utilities for the Zeroaccess rootkit only. Manually replacing these is possible but is not advised as it may result in loss of functionality. Both utilities are excellent however the ESET utility has been observed to have a better detection and disinfection rate. Download links for these are at end.
McAfee sirefef removal tool: http://vil.nai.com/images/562354_2.zip
Eset Sirefef removal tool: http://download.eset.com/special/encyclopaedia/ESETSirefefRemover.exe
Tausif
Using recovery console to rewrite the MBR might help as well, especially if you have a tdss Variant as well.
ReplyDelete