Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KATUSHA with ZACCESS


  • Please log in to reply
4 replies to this topic

#1 TM_Paul

TM_Paul

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NABU
  • Local time:11:37 PM

Posted 20 October 2011 - 12:32 AM

I would like to ask if I can post steps that I was able to do that led me to successfully resolved my malware problem with KATUSHA and ZACCESS?

Edited by hamluis, 20 October 2011 - 12:28 PM.
Moved from Malware Removal Logs to Av, Firewall, etc.


"I'll be your silent gaurdian. A watchful protector. A dark knight..."


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:37 PM

Posted 20 October 2011 - 12:32 PM

I moved your post from the Log forum to this one.

If you post your steps/actions here, it will give us a better idea where such feedback should wind up.

Thanks for understanding :).

Louis

#3 TM_Paul

TM_Paul
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NABU
  • Local time:11:37 PM

Posted 20 October 2011 - 11:12 PM

Thanks Louis. As for my steps, here it is...

This may help you guys in dealing with the malware name "KATUSHA" that has an additional rootkit payload - ZACCESS. Normally its easy to remove this, you just have to understand how this things works and what are the workarounds you can do. I'm not good in writing blogs or instructions but I will try me best to make this as understandable as possible.

Malware Name: Trojan:Win32/Orsam!rts (Microsoft); Packed.Win32.Katusha.b (Kaspersky); PTCH_KATUSHA.W (Trend Micro)
Malware Type: Trojan

Payloads:
-injects itself to normal running process
-disables antivirus and corrupts in by injecting its codes on the antivirus .dll and .exe
-downloads other malwares such as worms,fakeav and rootkits
-slows the system down
-web search redirections

Initial symptoms of this malware infecting the system:
-you will see a running process on your task manager that is similar to this format - xxxxxxxxxx:xxxxxxxxxx.exe
e.g:
1717079585:3731990425.exe
2876273623:8923768464.exe

-a fakeAV invades your system namely - AV GUARD ONLINE, CLOUD SECURITY, AV SECURITY, etc.
-you get redirected when trying to do a web seach

NOTE: your best bet that the system is infected with this malware is the 1st symptom about the running process.


Removal Process:
1. Log in to the computer as the local admininistrator.
2. Disable system restore (for WinXP only)
3. Configure the folder view to show all hidden files and folders.
4. Do a window search for the first section of the running executable. Normally this files is located at the
%systemroot%.

e.g
2876273623:8923768464.exe
search: 2876273623

NOTE: Modify the search to look for hidden items as well

5. Once you find the file,right click on it and deny all access to it by removing the inherited permissions. DO NOT
DELETE THE FILE. (The file size is 0 byte. Thats OK)

====TO DENY PERMISSION DO THIS STEPS:====

FYI: You need admin rights to do this:

1. Right click on the file and choose properties
2. Click on the security tab
3. Click on the advanced button
4. Uncheck the "Inherit the permission from the parent....."
5. On the pop-up box choose remove
6. Click OK. The permission should be all gone.

============================================

6. Back up your registry
7. Go to the registry and do another search for the first section of the executable. delete all the entries you find
with it.
8. Reboot the computer then check task manager > processess. the xxxxxxxxxx:xxxxxxxxxx.exe should no longer be running

NOTE: the xxxxxxxxxx:xxxxxxxxxx.exe is the one responsible for stopping all the antivirus scans on your computer
thats why it needs to be stopped first.

9. Download TDSSKiller and run it. this should detect the ZACCESS rootkit. Do not restart the computer just yet after
the scan.
10.Download the Kaspersky Virus Clean up tool or the free cleanup tool you can find. (Malwarebytes,AVG Free,
HouseCall,etc) and do a full system scan on the computer.

NOTE: My recommendation would be ~ MBAM (full system scan)

11. After the scan is done. reboot the computer and see if all is working now.
12. Download and apply windows patches since this malware exploits vulnerabilities on your computer.

Edited by TM_Paul, 21 October 2011 - 02:33 PM.


"I'll be your silent gaurdian. A watchful protector. A dark knight..."


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:37 AM

Posted 22 October 2011 - 12:22 PM

Hello TM_Paul,
Thank you for sharing this solution. However, I would like to make a few notes by some of your steps, as then have the potential of causing more problems than they resolve.

NOTE: your best bet that the system is infected with this malware is the 1st symptom about the running process.

This is a positive identification on a 32 bit system, not on a 64 bit system, as the rootkit uses a different infection routine there.

Removal Process:
1. Log in to the computer as the local admininistrator.
2. Disable system restore (for WinXP only)

Disabling system restore is about the worst thing you can do; it does not help at all in the removal process, but it effectively deletes any backup present through system restore on the system. Because many security products target this rootkit only partially, in many cases the registry backup created by system restore is required. If you have disabled system restore, you will no longer have these backups, which in certain cases can have serious consequences. For example: when an associated service containing unique data has been deleted together with the infected driver.

5. Once you find the file,right click on it and deny all access to it by removing the inherited permissions. DO NOT
DELETE THE FILE. (The file size is 0 byte. Thats OK)

This is not a file, it is an alternative data stream. Removing file permissions is not very helpful; on the next reboot the rootkit infected driver will just create another one.

6. Back up your registry
7. Go to the registry and do another search for the first section of the executable. delete all the entries you find
with it.

As said, this component is an alternative data stream, it is not present in the registry.

After the rootkit is cleaned, you'll need to check for files that are void of permissions, usually these are security application executables that have been run in an attempt to clean the infection. You can use a tool like SysInternal's Junction to search for the files.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 TM_Paul

TM_Paul
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NABU
  • Local time:11:37 PM

Posted 22 October 2011 - 04:39 PM

Hi ms. elise. I sent you a personal message ^_^

Edited by TM_Paul, 22 October 2011 - 06:55 PM.


"I'll be your silent gaurdian. A watchful protector. A dark knight..."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users