Board index Security Virus & Other Malware Removal Help My PC may be infected with the Rootkit.Sirefef.Gen virus

My PC may be infected with the Rootkit.Sirefef.Gen virus

Please post your security problems, discussion and get support of Virus and Other Malware Removal help here

austin User avatar
Site Admin

Posts: 11
Rootkit.Sirefef.Gen
( Sophos Troj/ZAccess-L, Troj/ZAccess-I, HPmal/ZAccess-A Avira RKIT/ZeroAccess.A )

Propagation : medium
Size: varies
Detected : 2012 Nov 22

SYMPTOMS:

The presence of unwanted popups on the infected machine; background traffic to and from command-and-control centers handled by attackers.

TECHNICAL DESCRIPTION:

ZeroAccess/Sirefef is a sophisticated kernel-mode rootkit that gets installed when a ZeroAccess dropper gets executed. Initially, the dropper checks to see whether it is running on a 32- or a 64-bit machine by querrying the ZWQueryInformationProcess api. If it runs on a system that has UAC enabled, the malware manipulates the system to make a legit application look as if it requires escalation. This is achieved by loading a clean copy of the FlashPlayer installer that is dropped to a temporary directory. The Windows Firewall is turned off and the malware will try to disable a series of security sub-systems such as WinDefend (Windows Defender service), wscsvc (Windows Security Center service), WinHttpAutoProxySvc (Proxy Auto Discovery service). If the dropper runs on a 32-bit operating system, ZeroAccess installs a kernel-mode rootkit. If it runs on a 64-bit machine, it executes its code directly from the memory.

Removal instructions:

Run the attached removal tool and let it disinfect the system. The system may reboot after the scan completes.

ANALYZED BY:
Bogdan BOTEZATU

In order to remove this virus and prevent re-infection of your computer, here we recommend a very easy to use professional anti-virus software.


Return to Virus & Other Malware Removal Help

cron