Analysis by: Michael Cabel
 Modified by: Kathleen Notario
 PLATFORM:

Windows Vista 64-bit, Windows 7 64-bit, Windows XP Professional 64 bit, Windows Server 2003 64 bit, Windows Server 2008 64 bit

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This is the Trend Micro detection for 64-bit DLL components of the ZeroAccess malware family.

  TECHNICAL DETAILS

File Size: 54,272 bytes
File Type: DLL
Initial Samples Received Date: 06 Oct 2011

Autostart Technique

This Trojan modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\SubSystems
Windows = "%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=consrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

(Note: The default value data of the said registry entry is %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16.)

Process Termination

This Trojan terminates the following services if found on the affected system:

  • Windows Firewall service (MpsSvc)

NOTES:

This is the Trend Micro detection for 64-bit DLL components of the ZeroAccess malware family.

It monitors the autostart registry and restores the entry to conserve if it has detected that it has been changed.

It then edits the Winsock2 registry, and changes all of the entries under it as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
LibraryPath = "mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
PackedCatalogItem = "mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
LibraryPath = "mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
PackedCatalogItem = "mswsock.dll"

It then drops the following files or replace it if found existing under %System Root%\assembly:

  • GAC_32\Desktop.ini
  • GAC_64\Desktop.ini
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Note that these binaries only act as loaders for the following files:

  • \\.\globalroot\systemroot\assemvly\temp\u\80000032.@
  • \\.\globalroot\systemroot\assemvly\temp\u\80000064.@

The above-mentioned binaries are not included in this malware and may be dropped by another dropper, which is probably the one that has arrived with this sample.

It also replaces the Section Object \\KnownDlls\mswsock.dll and \\KnownDlls32\mswsock.dll with these files. As such, when mswsock.dll is loaded, desktop.ini is loaded instead.

It then searches for the svchost.exe process whose command line contains netsvcs. A new thread is then injected to this remote process. This thread is responsible for loading the third binary in memory. It copies the contents of the third binary into a new section and calls the entry point to execute the malicious routine.

The last binary is responsible for the following routines:

  • Listening for backdoor commands
  • Downloading of additional components and injecting these components into the memory

After these routines, this malware uses LoadLibrary to load the original winsrv.dll file found in the registry.

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 8.476.12
FIRST VSAPI PATTERN DATE: 06 Oct 2011
VSAPI OPR PATTERN File: 8.477.00
VSAPI OPR PATTERN Date: 07 Oct 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
    • From: Windows = "%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=consrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
      To: Windows = "%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

Step 4

Search and delete these files

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Windows%\assembly\GAC_32\Desktop.ini
  • %Windows%\assembly\GAC_64\Desktop.ini

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_SIREFEF.BX. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Restore these modified registry keys/values from Backup

Note: Only Microsoft-related keys/values is restored. If the malware/grayware also modified registry keys/values related to programs that are not from Microsoft, please reinstall those programs on the computer.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
LibraryPath = "mswsock.dll"



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
PackedCatalogItem = "mswsock.dll"



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
LibraryPath = "mswsock.dll"



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
PackedCatalogItem = "mswsock.dll"

If Operating System is Windows 7 64-bit, kindly perform the following manual removal instructions instead before proceeding to Step 4:

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE\System\Select
  3. In the right panel, locate the following registry entry and take note of the value:
    LastKnownGood = {number}
    Example: LastKnownGood = 2
    Note: If the LastKnownGood is set to "2", the LastKnownGood points to "ControlSet002")
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE\System\ControlSet00{noted number}\Control\Session Manager\Subsystem
    Example: HKEY_LOCAL_MACHINE\ControlSet002\Control\Session Manager\Subsystem
  5. In the right panel, locate the registry value:
    Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
  6. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
  7. Restart your computer.
  8. Press F8 after the Power-On Self Test (POST) routine is done. If the Advanced Boot Options menu does not appear, try restarting then pressing F8 several times after the POST screen appears.
  9. On the Advanced Boot Options menu, use the arrow keys to select the Last Known Good Configuration option then press Enter.
  10. Check if the registry still contains consrv. If not you may delete the file consrv.dll.
    Note: If you are not able to do step 8 at 1st attempt or consrv is still in your registry in step 10, perform steps again from step 1.


Did this description help? Tell us how we did.