ZeroAccess Bag of Tricks
We’ve blogged a few times before about the tricks of the ZeroAccess malware family (aka ZAccess/Sirefef/Max++). For example, in July 2011 we blogged about ZeroAccess injecting a deadly payload into antivirus products and in June 2012 we blogged about ZeroAccess hiding its malicious code in an NTFS Extended Attribute.
Recently a new ZeroAccess variant is spreading which employs a new trick to disable antivirus products. Specifically, the new variant places NTFS Reparse Points on the files of an antivirus causing access to the files to be redirected.
In the following screenshots (using the tool called Junction from Mark Russinovich, Sysinternals) you can see that ZeroAccess has placed a Reparse Point (type Symbolic Link) on the files of Microsoft Security Essentials. These reparse points redirect file access to a different location, disabling Microsoft Security Essentials:
Also using the ordinary dir-command you can see that redirection to [c:\windows\system32\config] is in place:
In addition to setting Reparse Points, ZeroAccess also strips the permissions from the files as can be seen in the following screenshot:
To the rescue
On May 23rd we’ve released HitmanPro build 198 that removes the reparse points from Windows Defender and Microsoft Security Essentials. Also the permissions on the files are restored by HitmanPro.
Here a video showing the Redirection of the files belonging to Windows Defender and Microsoft Security Essentials:
The repair of Windows Defender and Microsoft Security Essentials by HitmanPro is free.
Existing users of HitmanPro are automatically updated to the latest version while new users can download HitmanPro from here: get.hitmanpro.com.