Anybody fighting Zero Access rootliy

[Slaters Kustum Machines]

My test VM is XP Home. I could set up test VM's for Vista/7 as well if needed.

 

[FoolishTech]

When I click Destroy Junction I get the following: A directory beneath the reparse point exists! Click YES to delete or NO to explore directory. Clicking no takes me to the Junction listed. Clicking yes gives me "Could not delete the directory." Also my Junction is C:\WINDOWS\$NtUninstallKB47189$ This is in a VM since the one I thought I was getting turned out to be a different issue.

Drat, worked fine for me yesterday. Did you first do the IFEO Modifier on the 123943454:349872398.exe file, and reboot? Were you able to later delete the directory and if so, how? Also can you get me a copy of the variant you used to infect your VM?

Well done guys that all works nicely.

I'm still confused as to what the reparse point is actually doing. It appears to be a link to the config folder but there is nothing visible in there. When you delete the junction it turns into a normal directory and you can see and delete the files - or is that a normal effect of using that fsutil command - to pull the files from the other end of link into the junction folder?

From that prevx paper it looks like pointing it to the config folder is a leftover from an older variant of the app, which would create a virtual file system inside a randomly named file that it put in the config folder.

But since we're not seeing that in the latest variants, I think now there is no particular reason it is pointing to the config folder. It's just that the reparse point itself enables that $KBxxxx$ dir to not be accessed/deleted by normal means, but I don't think it matters at all where the reparse point links to.

With the possible exception that, say attempting to delete the folder offline without first removing the reparse point might actually delete the config folder! In an online system, naturally any delete attempts that were redirected to the config folder would be access denied...

 

[Slaters Kustum Machines]

I did not do the IFEO part, fail on my part. Will revert to snapshot then perform IFEO part then try the junction trick. I am using the variant from this thread.

 

[Slaters Kustum Machines]

I ran the IFEO Modifier then restarted and the infected .exe was no longer running then I ran the Junction tool and deleted the junction, but am unable to delete the directory. I did take control of the directory as well.

 

[FoolishTech]

I did not do the IFEO part, fail on my part. Will revert to snapshot then perform IFEO part then try the junction trick. I am using the variant from this thread.

For anyone else following the thread, here’s my removal procedure for now which has been working for me:

1. Fire up D7, click the D7 menu > IFEO Modifier. Find and select the rogue executable(s) in the drop down list. (e.g. 123587654:12987432.exe, but could be others in addition - I'm seeing a new variant this morning that doesn't use ADS...) Hit the CREATE button. Now it won’t be able to execute itself and stop you from standard removal.

2. DO NOT DELETE THE MALWARE YET. SIMPLY REBOOT THE PC. (When the PC reboots you’ll note the malicious EXE is no longer running.)

3. Use TDSSKiller and cure anything it finds. Alternately, there are a few specific tools for this that may be useful to add to your flash drive: I have not yet used them, but note that neither tool does step 7 below, so don’t skip that final step! http://anywhere.webrootcloudav.com/antizeroaccess.exe and http://www.malwarecity.com/community/index.php?app=downloads&showfile=34

4. REBOOT AGAIN.

NOTE: I haven't seen this infection in the MBR yet, but who knows, a new variant may come out and infect this... so now would be a good time to FIXMBR. currently this step isn't necessary however.

5. Open D7, goto Tweaks tab > NTFS Junctions. Scan the Windows directory. When found, you should see one junction probably named $NtUninstallKB32069$ or similar. Highlight the directory, click Destroy Junction. When prompted, delete the directory underneath - unless you wish to visually inspect it. Now the malware is really gone.

6. Follow up with the usual scans as if it were a normal infection. Don't forget to delete the random numbers directory containing the ADS in %windir% (e.g. 123587654) if it exists, and the other rogue EXEs you created an IFEO for.

7. Run the Repair Permissions function on D7’s malware or repair tab. This fixes all of the ACL problems caused by the malware, should fix the antivirus (confirm it), and also MSSE installation or any other Installer error 2203’s that would otherwise occur.

 

[FoolishTech]

I ran the IFEO Modifier then restarted and the infected .exe was no longer running then I ran the Junction tool and deleted the junction, but am unable to delete the directory. I did take control of the directory as well.

Darn. I just used it again this morning and it worked...?

Just to see if it's a bug with my code, or what... try from an elevated command prompt the manual way which othersteve first brought to my attention earlier in this thread, and see if that works.

 

[Slaters Kustum Machines]

Got it to work. Before I realized you listed your steps I decided to run TDSSKiller then reboot. After that I was able to delete the directory. I did the steps in this order 1,2,5,3,4 and it worked. Foolish you are the man, donation coming your way.

 

[Slaters Kustum Machines]

Foolish, I noticed you stated to select the .exe during the IFEO Modifier part, but when I clicked the drop down menu it wasn't listed? Is it supposed to be listed here? There where other .exes in there. I just typed in what I found in Task Manager and it worked.

 

[FoolishTech]

Foolish, I noticed you stated to select the .exe during the IFEO Modifier part, but when I clicked the drop down menu it wasn't listed? Is it supposed to be listed here? There where other .exes in there. I just typed in what I found in Task Manager and it worked.

Yeah, I haven't figured this out yet but some processes can hide from my detection on the IFEO modifier drop down list... my variant this morning did :\ but yesterday's didn't... in either case doing exactly what you did will work!

 

[ZenTree]

Had another one of these today, few changes:

there was a randomly numbered file stored in system32 that I kept being refered to, no file suffix etc, removed easily enough, perhaps this was the file it mounts as an encrypted drive, like truecrypt does for example. Time stamp matched the infection date/time exactly.

It had also infected (or something that came along at the same time) some common file names, I was so busy tracing the tricks above that I overlooked this initially and things kept coming back.

names were:
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe

This one also seemed to be infecting more system files, listed 8 of the usual suspects, though some only came after tried removing it without catching the ADS stream, (forgot).

Still, quick turn around on it. Symptoms were only a few redirects so didn't expect something this fun this morning


p.s @foolish - junction function worked a treat , thanks

 

[FoolishTech]

p.s @foolish - junction function worked a treat , thanks

LOL Just made me think "Conjunction junction, what's your function?"

Good info!

 

[othersteve]

Had another one of these today, few changes:

there was a randomly numbered file stored in system32 that I kept being refered to, no file suffix etc, removed easily enough, perhaps this was the file it mounts as an encrypted drive, like truecrypt does for example. Time stamp matched the infection date/time exactly.

It had also infected (or something that came along at the same time) some common file names, I was so busy tracing the tricks above that I overlooked this initially and things kept coming back.

names were:
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe

This one also seemed to be infecting more system files, listed 8 of the usual suspects, though some only came after tried removing it without catching the ADS stream, (forgot).

Still, quick turn around on it. Symptoms were only a few redirects so didn't expect something this fun this morning


p.s @foolish - junction function worked a treat , thanks

Hey ZenTree,

Were they just injected executable images in memory? I had a ZA variant that did this but the actual files on disk were in fact uninfected. It was merely the kernel driver injecting code I believe that led the executables to be reported as infected.

 

[ZenTree]

Hi Steve, that's v interesting. As far as I know I had removed the infection by this point (2nd time after ADS idiocy) and was just running a scan in safe mode when this popped. Uploaded the files to virustotal and they came back as being infected as well so hopefully I wasn't missing something.
System passed multiple reboots and secondary scans after that point without anything coming back, you've got me worried now Machine is already back with client so will have to check back with them over the phone tomorrow.
@foolish - Glad I could entertain

edit: there was a rapport sys file that was coming up as infected whilst I was dealing with the usual ipsec.sys etc but all scans on it from virustotal came back clean so that would probably explain that thanks. I removed it anyway from the equation and didn't replace it since the .exe look suspect and they were planning to reinstall themselves.

This virus just keeps on getting more interesting