Home Malware Programs Rootkits ZeroAccess

ZeroAccess

Posted: August 23, 2011

Threat Metric

Threat Level: 8/10
Infected PCs: 480
First Seen: August 23, 2011
Last Seen: September 20, 2022
OS(es) Affected: Windows

ZeroAccess is a rootkit that uses advanced techniques to conceal itself and thwart your PC security software. Afterwards, ZeroAccess may also be used to open a backdoor on your system in the fashion of a backdoor Trojan. As is true of other rootkits that SpywareRemove.com malware researchers have analyzed, ZeroAccess has negligible symptoms of its activities, although you may be able to find ZeroAccess by watching for malfunctions in your anti-malware and security programs. ZeroAccess has been updated several times throughout its life and is sufficiently advanced and potentially damaging that only specialized and up-to-date anti-malware programs should be used to delete any ZeroAccess infection on your PC. Refraining from doing so will leave your computer open to attack by criminals and other forms of harmful software, and can cause lose of private information or destruction of files on your PC.

The Hidden ZeroAccess Threat to Your Computer

ZeroAccess is considered a highly-sophisticated kernel mode rootkit due to its use of multiple methods to obscure itself and attack programs that could find or remove ZeroAccess and similar rootkits. Although ZeroAccess isn't considered quite as advanced as a TDL3 Rootkit, it remains comparable to such rootkits (including Rootkit.Boot.Mybios.a, TDSS.e!rootkit, TDSS Rootkit and Rootkit.Win32.Agent.bhnc) in terms of potential damage to your PC.

Since SpywareRemove.com malware researchers have found that ZeroAccess, like many other rootkits, prefers to load itself without an independent process that can be seen and shut down, you may not be able to tell when ZeroAccess is active unless its related attacks give off visible signals, such as browser hijacks, system slowdown or visibly-altered network settings.

However, the attack that ZeroAccess is most well-known for is its ability to shut down any program that engages in behavior that ZeroAccess feels would be a threat to ZeroAccess. This includes most forms of standard system scans that are used by anti-malware and security programs. Since ZeroAccess has received multiple updates since its origin in July of 2011, keeping your anti-malware software equally up-to-date is important for removing ZeroAccess.

You may also be able to infer the existence of ZeroAccess by noting the presence of related PC infections, particularly dropper Trojans. These Trojans, such asTrojan-Downloader.Agent-BFJ, Trojan-Dropper.Win32.Delf.br, Trojan-dropper.win32.VB.agtq, Trojan-Dropper.Win32.HDrop.apo or Trojan-Downloader.Agent-FCX can install ZeroAccess and may also install spyware, ransomware Trojans, worms or other PC threats.

Why ZeroAccess is a Great Big Zero for Your Computer's Safety

Besides its notable security program-disabling traits, any particular ZeroAccess variant may also possess any or all of the following attributes:

  • In all instances that SpywareRemove.com malware experts have observed thus far, ZeroAccess chooses a system driver to infect for its base of operations. This allows ZeroAccess to launch without your consent and makes it extremely difficult to remove ZeroAccess, which can restore itself even when partially deleted. Improper removal of ZeroAccess is almost certain to cause harm to your operating system, which is why the use of a dedicated anti-malware program to delete ZeroAccess is strongly encouraged.
  • ZeroAccess may be used to steal private information. This can include account login data or passwords, Social Security numbers, credit card numbers or even all keyboard input, monitor output and webcam footage.
  • ZeroAccess may install other types of harmful programs onto your PC just as a standard dropper Trojan would do; these programs can include Remote Administration Tools, worms, viruses and many other forms of malicious software.
  • ZeroAccess may allow remote criminals to access and control your PC; the level of control that ZeroAccess potentially can allow to a criminal may be effectively unlimited.
  • Your system may also experience undesirable setting changes while ZeroAccess is on your PC. While open network ports and exceptions added to your firewall are the most likely changes, ZeroAccess may also cause any number of other alterations, such as concealing files, hijacking your browser or changing your desktop image.

Confirmed aliases for ZeroAccess include Dropper.Sirefef.B, Generic Dropper!dvy and Trojan-Dropper.Win32.Sireref.b.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%System%\Drivers\classpnp.sys File name: %System%\Drivers\classpnp.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
%System%\Drivers\win32k.sys File name: %System%\Drivers\win32k.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[FILE NAME OF INFESTED DRIVER]\"Type" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[FILE NAME OF INFESTED DRIVER]\"Start" = "3"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[FILE NAME OF INFESTED DRIVER]\"ImagePath" = "\*"

Related Posts

One Comment

  • Mary says:

    saying system admin will not allow download. I am sys admin and can not find where i have this blocked.

Loading...