RTKT_ZEROACCES.A

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It deletes itself after execution.

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Other Details

This Trojan adds and runs the following services:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\.{name of SYS}
ImagePath = \*

It deletes itself after execution.

NOTES:

To run the malware using the added service registry, it creates a symbolic link which points"\*" to the malware using ZwCreateSymbolicLinkObject API.

It deletes the created service registry after the first execution.

It also overwrites a randomly selected .SYS file in the following location:

• %System%\drivers\

This is detected by Trend Micro as RTKT_ZEROACCES.B.

To choose the target .SYS file, it follows the conditions below:

• must be between classpnp.sys and win32k.sys
• file extension is .SYS
• file size is greater than the size of the SYS component, 0x7400 bytes
• value in the following registry is greater than 0:
  

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{driver name}
  Start

It creates a hidden volume the following location:

• %System%\config\{8randomchars}

It then loads fmifs.dll and uses the FormatEx API to format the hidden volume using NTFS. This is where the clean copy of the overwritten driver is saved.

It also attempts to connect to the following URL:

• {BLOCKED}.{BLOCKED}.226.180/ask?a={value}&u={value}&m={value}&h={value}