Zero-Access is one of the more prevalent and sophisticated pieces of malware observed in recent times. Similar to other malware in its class, it is able to infect both 32-bit and 64-bit Windows operating systems with kernel mode root-kit components.
Recently it has become apparent that Zero-Access evolved, some would call it ‘regressed’, from a kernel mode root-kit into a user mode patcher. Closer inspection reveals that this latest version infects Microsoft’s Service Control Manager (services.exe) on 64-bit systems. Strangely, the original host bytes don’t appear to be stored in the patched executable, making disinfection non-trivial. Given the importance of the OS application affected, it is advisable to replace the infected binary with an exact copy of the original file. Please note that restoration of the file is best left to the experts.
Distribution methods for Zero-Access include both social engineering tactics & drive-by-downloads. It pretends to be software updates using file names like [Removed]_update_for_Win.exe or pornographic material using file names like animal_[Removed].avi.exe, to lure its potential victims.
K7 security products not only prevents access to the malicious URLs involved in spreading this malware, but also pro-actively detects components of this malware in real time.
Lokesh Kumar/Samir Mody