RTKT_ZEROACCES.A
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
It deletes itself after execution.
TECHNICAL DETAILS
74240 bytes
EXE
No
12 Apr 2011
Connects to URLs/Ips
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
Other Details
This Trojan adds and runs the following services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\.{name of SYS}
ImagePath = \*
It deletes itself after execution.
NOTES:
To run the malware using the added service registry, it creates a symbolic link which points"\*" to the malware using ZwCreateSymbolicLinkObject API.
It deletes the created service registry after the first execution.
It also overwrites a randomly selected .SYS file in the following location:
- %System%\drivers\
This is detected by Trend Micro as RTKT_ZEROACCES.B.
To choose the target .SYS file, it follows the conditions below:
- must be between classpnp.sys and win32k.sys
- file extension is .SYS
- file size is greater than the size of the SYS component, 0x7400 bytes
- value in the following registry is greater than 0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{driver name}
Start
It creates a hidden volume the following location:
- %System%\config\{8randomchars}
It then loads fmifs.dll and uses the FormatEx API to format the hidden volume using NTFS. This is where the clean copy of the overwritten driver is saved.
It also attempts to connect to the following URL:
- {BLOCKED}.{BLOCKED}.226.180/ask?a={value}&u={value}&m={value}&h={value}
SOLUTION
8.900
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Remove malware files dropped/downloaded by RTKT_ZEROACCES.A
- RTKT_ZEROACCES.B
Step 3
Scan your computer with your Trend Micro product to delete files detected as RTKT_ZEROACCES.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.