Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New ZeroAccess variant not detected by FRST (Farbar Recovery Software Tool)


  • Please log in to reply
3 replies to this topic

#1 Neil1970Poole

Neil1970Poole

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 02 August 2013 - 07:44 AM

Good Afternoon,

 

Not sure if this is anything to do with FARBAR Recovery Scan Tool (FRST) and if not maybe you can forward it on to the correct person or team. There is a new variant of Zero Access that is doing the rounds that the FRST tool does not detect - The New Variant is described in the following link:

 

hxxp:/nakedsecurity.sophos.com/2013/07/31/zeroaccess-malware-revisited-new-version-yet-more-devious/?utm_source=feedburner&utm_medium=feed&utm_content=Netvibes&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

Basically the payload files are now being found in the following Path(s):

c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\00000004.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\6715e287
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\00000004.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\00000008.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\000000cb.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\80000000.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\80000032.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\00000004.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\6715e287
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\00000004.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\00000008.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\000000cb.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\80000000.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\80000032.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\00000004.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\6715e287
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\00000004.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\00000008.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\000000cb.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\80000000.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\80000032.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\00000004.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\6715e287
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\00000004.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\00000008.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\000000cb.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\80000000.@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\0103~1\7154~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\80000032.@

c:\users\Em\AppData\Local\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\???\???\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\@
c:\users\Em\AppData\Local\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\???\???\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\GoogleUpdate.exe
c:\users\Em\AppData\Local\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\C3C1~1\01C8~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\@
c:\users\Em\AppData\Local\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\C3C1~1\01C8~1\CFFE~1\{7e85e7dc-4063-5461-5388-f06482b6da28}\GoogleUpdate.exe

 

The Paths above seem to have Unicode characters (example below):

 

C:\Program Files\Google\Desktop\Install\{dcb40829-6181-578b-9cc1-336672298693}\   \...\\{dcb40829-6181-578b-9cc1-336672298693}\GoogleUpdate.exe

 

It also creates a hidden driver/service as described in the earlier link.

Can the FRST.exe and FRST64.exe be updated to include the detection of this new variant of Zero Access.

Many thanks,

 



BC AdBot (Login to Remove)

 


#2 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:28 PM

Posted 03 August 2013 - 12:00 AM

Examples of the Service with 3 logs, that does appear at times, seeing it is one thing, dealing with it by these tools is another.

 

Combofix

 

R2 ?etadpug;Google Update Service (gupdate);c:\program files (x86)\Google\Desktop\Install\{e79d61e6-9b74-9ace-3555-c97004525cf9}\ \...\???\{e79d61e6-9b74-9ace-3555-c97004525cf9}\GoogleUpdate.exe <;c:\program files (x86)\Google\Desktop\Install\{e79d61e6-9b74-9ace-3555-c97004525cf9}\ \...\???\{e79d61e6-9b74-9ace-3555-c97004525cf9}\GoogleUpdate.exe < [x]

 

 

OTL

 

O23 - Service: Google Update Service (gupdate) (?etadpug) . (...) - C:\Program Files (x86)\Google\Desktop\Install\{c9940291-904a-83a3-407e-b260f98ab069}\ \...\???\{c9940291-904a-83a3-407e-b260f98ab069}\GoogleUpdate.exe

 

 

FRST

 

U2 ‮etadpug; C:\Program Files\Google\Desktop\Install\{3b803de2-9b3a-e14d-88f0-70942e83e842}\ \...\‮ﯹ๛\{3b803de2-9b3a-e14d-88f0-70942e83e842}\GoogleUpdate.exe [0 ] (Advanced Micro Devices, Inc.)

 

 

Quads



#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:28 AM

Posted 05 August 2013 - 04:36 AM

Hi,

 

FRST is updated to deal with it. It detects all the components fully and will fix them when included in the fixlist.



#4 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:28 PM

Posted 05 August 2013 - 05:14 PM

Thanks Farbar

 

RogueKiller is also updated to deal with it,  although I had to run it twice on Win7 test to deal to all the Components.

 

 

Quads






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users