Tuesday, March 06, 2012

ZeroAccess Authors Are Now Faking Company Name: Iomega

In a previous post I mentioned that ZeroAccess authors were faking the Company name: Oak Technologies Inc. Well, they have changed who they want to disguise their malicious .dll files to the company Iomega. Oak Technologies Inc. will still be used but be prepared to start looking out for files with the company name Iomega as well.

I decided to give HitmanPro a go on this one to see how effective it is versus this variant of ZeroAccess. Here are my results. Please note, I am not trying to insinuate anything here. I am a fan of the HitmanPro staff and am subscribed to their blog which I read daily. I am simply posting my results from this one encounter. That is all. Your results my vary.

HitmanPro did detect the .dll in system32 which is great. I was really interested to see if it would also be able to find and remove the service (WavxDMgr) and netsvcs data value (WavxDMgr) associated with symlcbrd.dll (VT).

Unfortunately that was not the case as I had to remove the broken NetSvcs entry and Service myself after the reboot.

Not all bad news though as HitmanPro was also able to find out that cdrom.sys was patched by ZeroAccess and a folder with some ZA related files.

I believe the authors of these tools have the skills needed to program practically anything they wish but are likely taking a cautious approach to this variant -- at least until more information is gathered about it. I am sure they realize that deleting drivers, services, and items from the registry is risky in general. This is relatively new variant and I am sure a lot of testing is involved before updated tools are released to the public.

Infections like these quite often lead to BSODs and other startup issues if not properly disinfected.

No comments:

Post a Comment