ZeroAccess.C

[gumbie02151]

I recently got this virus (ZeroAccess.C) The non-rootkit revision apparently. Norton AV stopped it partially but not fully. At first detect, I shutdown and placed jumper on hard drive to make it Read-Only. I like to investigate virii I get from time to time, especially the ones that make it past my AV.

To make a long story longer, I finally managed to clean my drive of the infection, at least enough that it wasn't re-infected after booting.

I am currently dissecting the binary as much as to my ability, and I noticed a few things people should be aware of; The systems x509 stores have been compromised. Fake certificates inserted, valid ones deleted, or moved to banned store. This is large scale, 100+ edits, I can see.

Another thing, is this looks for various installed software, and for instance say you have SVN Subversion for windows, like I do, then the virus claims the daemon for its own, working as svncache, but also tagging files you'd check-in. I assume to propagate itself to others. It also puts dormant code in Visual Studio's libraries. I assume waiting till you use the tainted item, and then re-infection! Every AV scanner I used misses all of the mentioned issues. I am in the processes of making a better cleaner, this will entail completed uninstall of all programs that are checked for. complete erasure! Obviously a clean wipe and re-install is best, but keep in mind this virus pollutes DLL back-up cache along with restore points.  The thing that got me was once you start to try to remove it, it makes it look as if your installed AV is a problem, I hopes you uninstall it, and then the virus can embed itself deeper I would assume (I haven't let it do this yet, but the 'blame the AV' is obvious).

The \windows\assembly folder is special, you can see it better if you have Cygwin installed, or at least 'ls' Cygwin style to use....   Besides Desktop.ini that is polluted, a few shellEx's are setup, that re-infect on simple and common actions a user will do.

I read that this version is really a bot, that gives the hacker remote control of the machine.. I am looking for the bot-nets URL address, entry point, and common auths, as to track down the distributor, and spy on them using their own virus. Oh also forward anything found to proper authorities. I am a novice at this stuff, but I figure its better to learn from this type of exploring than other purposes reversing is used.

[AdvancedSetup]

Hello and

 

I'm sorry but this section of the forum is for those users looking for help to detect or remove an infection. 

 

If you're just wanting to post your disdain over this type of infection it should probably go in one of the General type forums.

 

Thanks

[gumbie02151]

Sorry, I thought that was what I was doing!   All the posts I have read, say do this, that, another thing.. None of them state how deeply the infection may go. No one I assume took time to study the virus... I was just trying to be informative, and educational.

 

The point is, this virus infects differently depending on software found, and it play possum.. I thought that was important for someone to know!??

[AdvancedSetup]

It is not a virus and is very well known and studied already by hundreds of Security Experts.  Again this specific forum is for those looking for help.  Unless I've misread your post I don't see you asking for help, but rather giving your opinion of it.  There really isn't too much that isn't already known about this infection.

 

Here are a couple of many that are available on this subject.

 

http://en.wikipedia.org/wiki/ZeroAccess_botnet

 

http://nakedsecurity.sophos.com/zeroaccess/

 

Thanks again

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.