Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/ZAccess.AF
Date discovered:08/01/2013
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:160.768 Bytes
MD5 checksum:6A5802FA813FCEA0D9116F6397890F23
VDF version:7.11.56.60 - Tuesday, January 8, 2013
IVDF version:7.11.56.60 - Tuesday, January 8, 2013

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.ZAccess.ewhg
   •  Sophos: Troj/ZAccess-RO
     Microsoft: Trojan:Win32/Sirefef.P
   •  Eset: Win32/Sirefef.FY


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following locations:
   • %HOME%\Local Settings\Application Data\Google\Desktop\Install\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\???\???\???\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\GoogleUpdate.exe
   • %PROGRAM FILES%\Google\Desktop\Install\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\ \ \???\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\GoogleUpdate.exe



The following files are created:

%HOME%\Local Settings\Application Data\Google\Desktop\Install\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\???\???\???\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\@ Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%PROGRAM FILES%\Google\Desktop\Install\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\ \ \???\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\@ Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Google Update"="%HOME%\Local Settings\Application Data\Google\Desktop\Install\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\\0x2764\0x2278\0x22D9\\0x2C22\0x2620\0x2368\\0x202E\0xFBF9\0x0E5B\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\GoogleUpdate.exe >"



The following registry keys are added in order to load the service after reboot:

[HKLM\SYSTEM\ControlSet001\Services\
   • "ImagePath"="%PROGRAM FILES%\Google\Desktop\Install\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\ \ \\0x202E\0xFBF9\0x0E5B\{09e5e28f-d22a-1569-09bc-650365cbf0e1}\GoogleUpdate.exe <"

Description inserted by Eric Burk on Sunday, December 1, 2013
Description updated by Eric Burk on Sunday, December 1, 2013

Back . . . .