(Sophos Troj/ZAccess-L, Troj/ZAccess-I, HPmal/ZAccess-A
ZeroAccess/Sirefef is a sophisticated kernel-mode rootkit that gets installed when a ZeroAccess dropper gets executed. Initially, the dropper checks to see whether it is running on a 32- or a 64-bit machine by querrying the ZWQueryInformationProcess api. If it runs on a system that has UAC enabled, the malware manipulates the system to make a legit application look as if it requires escalation. This is achieved by loading a clean copy of the FlashPlayer installer that is dropped to a temporary directory. The Windows Firewall is turned off and the malware will try to disable a series of security sub-systems such as WinDefend (Windows Defender service), wscsvc (Windows Security Center service), WinHttpAutoProxySvc (Proxy Auto Discovery service). If the dropper runs on a 32-bit operating system, ZeroAccess installs a kernel-mode rootkit. If it runs on a 64-bit machine, it executes its code directly from the memory.