My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Rootkit.Sirefef.Gen

MEDIUM
HIGH
varies
(Sophos Troj/ZAccess-L, Troj/ZAccess-I, HPmal/ZAccess-A Avira RKIT/ZeroAccess.A)

Symptoms

The presence of unwanted popups on the infected machine; background traffic to and from command-and-control centers handled by attackers.

Removal instructions:

Run the attached removal tool and let it disinfect the system. The system may reboot after the scan completes.

Analyzed By

Bogdan BOTEZATU

Technical Description:

ZeroAccess/Sirefef is a sophisticated kernel-mode rootkit that gets installed when a ZeroAccess dropper gets executed. Initially, the dropper checks to see whether it is running on a 32- or a 64-bit machine by querrying the ZWQueryInformationProcess api. If it runs on a system that has UAC enabled, the malware manipulates the system to make a legit application look as if it requires escalation. This is achieved by loading a clean copy of the FlashPlayer installer that is dropped to a temporary directory. The Windows Firewall is turned off and the malware will try to disable a series of security sub-systems such as WinDefend (Windows Defender service), wscsvc (Windows Security Center service), WinHttpAutoProxySvc (Proxy Auto Discovery service). If the dropper runs on a 32-bit operating system, ZeroAccess installs a kernel-mode rootkit. If it runs on a 64-bit machine, it executes its code directly from the memory.