Modified by: Rika Joi Gregorio
ALIASES:

Trojan.Zeroaccess!g46(Symantec), W32/ZAccess.DHPV!tr.bdr(Fortinet), Win32/Sirefef.FY trojan(Eset)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size: 132,096 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 17 Dec 2013

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It drops the following component file(s):

  • %Windows%\assembly\GAC\Desktop.ini - detected as TROJ_SIREFEF.BZO
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\@ - config file
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\@ - config file

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

  • %AppDataLocal%\Google\Desktop\Install\{GUID}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\U
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\L
  • %Program Files%\Google\Desktop\Install\{GUID}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\U
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\L

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Google Update = ""%AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe" >"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO character}etadpug
ImagePath = "%Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO character}etadpug
DisplayName = "Google Update Service (gupdate)"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\{RLO character}etadpug

Other System Modifications

This Trojan deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_BITS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_SHAREDACCESS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_WSCSVC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_WUAUSERV

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BITS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv

Other Details

This Trojan deletes itself after execution.

NOTES:

This Trojan connects to the following URL to get the geographical information of the affected system:

  • http://j.maxmind.com/app/geoip.js

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 10.364.04
FIRST VSAPI PATTERN DATE: 25 Oct 2013
VSAPI OPR PATTERN File: 10.365.00
VSAPI OPR PATTERN Date: 25 Oct 2013

NOTES:

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Backup Autorun Registry Key

  1. Open the Registry Editor by pressing Windows Key + R , type regedit into the Run input box, and then pressing ENTER.
  2. Locate the key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
  3. Click the File menu, and then click Export.
  4. In the Save in box, select the location where you want to save the backup copy, and then type a name for the backup file in the File name box.
  5. Click Save.

Step 3

Disable Service Registry

  1. Open the Registry Editor by pressing Windows Key + R , type regedit into the Run input box, and then pressing ENTER.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>services>gupdate
  3. In the right panel, locate the registry value:
    ImagePath = "%Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe"
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    ImagePath = "@"
  5. In the right panel, locate the registry value:
    Start = "2"
  6. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Start = "4"

Step 4

For Windows Vista and later versions, you may skip 1 and 2 and just add permission by pressing 'yes' button on permission pop-up, For other Windows operating system versions, you need to assign an owner for the malware folder in order to access/delete it. To do this you need the following steps:

  1. Open the folder %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}
    (Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
  2. In the menu bar above, click Tools>Folder Options>View Tab. Uncheck use simple file sharing (Recommended) then press apply.

  3. Right Click the {GUID} folder and click Properties. Click Security Tab>Advanced button>Owner.
  4. Choose any owner then press 'Apply' button.

  5. Re-open folder Properties then on Security Tab. Checked the Full Control Box (Allow) then click 'Apply' button.
  6. Delete the folder to remove the malware.
  7. Open the folder %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}.
  8. In the menu bar above click Tools>Folder Options>View Tab. Uncheck 'use simple file sharing (Recommended)' then press apply.
  9. Right Click the {GUID} folder and click Properties. Click Security Tab>Advanced button>Owner.
  10. Choose any owner then press 'Apply' button.
  11. Re-open folder Properties then on Security Tab. Checked the Full Control Box (Allow) then click 'Apply' button.
  12. Delete the contents of the folder excluding '@' file. (This is non-malicious but can be deleted upon restart).
  13. Restore the registry entries backup in Step 2 by executing the .reg file in saved folder and file name you specified.

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_ZACCESS.SMJ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files.


Did this description help? Tell us how we did.