http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1713&sid=cd3cc5cbadd7a7c0f917c0929b8df486
Hashes:
2EFE003B8969FA946F194333152F334C (Original Binary)
9645CD309A01211C8DB323EBFCC44C6B (Unpacked Binary)
VirusTotal:
https://www.virustotal.com/en/file/8be9b39f78064d454e90b7fead8d51e8e4749e880f1e00b0fd843227b7677bd1/analysis/
Introduction:
Persistence mechanisms refer to any functionality that help the malware continue to operate in it's environment. These include the termination of anti-virus,anti-malware or any process/service that hinders it's operations.
Using DeleteService API to Terminate Services
The following subroutine is part of the function that deletes services (renamed to Mod_Svcs_DeleteSvc). Prior to this function call, the malware will attempt to open a particular service, set the source index (ESI) to it's service handle and call the Mod_Svcs_DeleteSvc function.
The calling function of Mod_Svcs_DeleteSvc iterates through a fixed set of specific services to delete.
Zero Access will attempt to delete the following services:
MsMpSvc - Microsoft Protection Service
Windefend - Windows Defender Service
SharedAccess - Internet Connection Sharing (ICS) Service (affects Windows Firewall)
iphlpsvc - IP Helper Service
wscsvc - Windows Security Center Service
mpssvc - Windows Firewall Service
bfe - Base Filtering Engine Service (required for ESET NOD32 Antivirus & Zonealarm v9.2.X)
No comments:
Post a Comment