Thursday, March 15, 2012

Panda Security Creates ZeroAccess Cleaning Tool (Yorkyt.exe) - Removes Abnow Redirect

Panda Security has created an AntiZeroAccess tool that works very well compared to others I have tested in the past.

In fact, it practically removed every trace of ZeroAccess minus 2-3 dormant files. What really impressed me was that it was able to delete the heart of ZeroAccess, the $NtUninstallKBXXXXX$ folder.

I am posting my results from the scans and information I was able to gather.
I used a dropper from early March which fakes sys32 .DLLs using the Company Name: Iomega.

More details about this specific variant here in a previous post of mine.

After injection, I verify that I will be redirected to abnow after searching for anything in Google.

In this example, I wanted to try to get to the MajorGeeks website via Google.

I am being redirected to abnow.

Start looking for bad service and netsvcs data value using Autoruns.
Results in the screen to the right:

Excerpt from yorkyt.exe.log

2012-03-15 17:16:39: Bad Service: system32\csctl50.dll
2012-03-15 17:16:39: Found Service: Packet
2012-03-15 17:16:39: Display Name: AFGMp50
2012-03-15 17:16:39: Description: New service would allow parents to control their children's online activity.
2012-03-15 17:16:39: ServiceDLL: %systemroot%\system32\csctl50.dll
2012-03-15 17:16:39: MD5: B89CFBE8CB247B57D8C10ADAA66B462B (VT)
Start disinfection using yorkyt.exe

Yes, reboot

The tool does not actually delete the service. Instead, it "breaks" the service by changing the ServiceDll value of the service into a .DLL that does not exist.

This prevents the service from being able to run or start again.

For example, the tool changed the ServiceDll value of Packet to csctl50.dll.bad when it was previously csctl50.dll. See Below:

After the 2nd reboot

Finished! Now let's verify.

No longer getting redirected :-)



Files Detected: 3
C:\WINDOWS\system32\csctl50.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.

"C:\Documents and Settings\thisisu\Local Settings\Application Data\"
02E7ABF0      Mar 15 2012              "02e7abf0" -> Empty folder

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\csctl50.dll.bad -- (Packet)
NetSvcs: Packet - %systemroot%\system32\csctl50.dll.bad File not found

Does not hurt to leave these broken entries, but I would recommend actually deleting both the non-functioning service and NetSvcs data value.
Misc notes:

The entire contents of the folder were removed by Panda Security's Yorkyt.exe. Impressive!

>>> Full Yorkyt.exe log here. <<<
>> Download Yorkyt.exe here. <<

1 comment:

  1. I have seen fix zero access from symantec removing the oak or iomega dll files(latest variant) on many computers.Latest TDSSkiller version has started detecting the service as Backdoor.Multi.ZAccess.gen.

    I have not tested this tool.Deleting hidden partitions is indeed looks impressive.Thanks for the update