Saturday, March 31, 2012

ZeroAccess x64 consrv.dll


             The consrv.dll infection has picked up a partner recently. There is now a service that is paired with both the 32 and 64-bit version of zaccess. We are able to see the infection easily on 64-bit already just by searching for the dll via the start menu, now we can verify with TDSSKiller.


                As always, this is the time to create a system restore point. It is not advisable to continue forward without creating a restore point.

               Open up the registry editor and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\Select. We want to look for the value "Default" - Do not confuse this with the one on top which is "(Default)". This value will tell us which control set will be loaded the next time Windows boots up. The "Current" value tells us which of the control sets are currently loaded. In my case, ControlSet002 is currently loaded (this will be different on each different PC). The rootkit is watching the current control set to ensure that no changes are made to it. This makes ControlSet002 impossible to modify, so I need to modify the other one. For example, If ControlSet002 is loaded, I need to modify either ControlSet001 or ControlSet003. If ControlSet001 is loaded, I need to modify either ControlSet002 or ControlSet003, etc.

We will now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session Manager\SubSystems


The value that we are interested in here is the "Windows" value. It may or may not be modified. Here is what the data will look like with an active infection:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16


The key should look like this when it is clean:


%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

                We are particularly interested in the ServerDll part of this data. You may notice that the order of the ServerDll data (if you omit the other data) is: basesrv, winsrv, consrv, sxssrv. We want to change it back to the default configuration which is: basesrv, winsrv, winsrv, sxssrv. Once you have changed the data, click ok and then press f5 on your keyboard to refresh your view of the registry. Open the value back up to make sure that it was not changed back by the rootkit. If it was, you will have to try another control set such as ControlSet001. If your changes were successful, we can refer to this control set as "fixed", go to the key: HKEY_LOCAL_MACHINE\SYSTEM\Select. We will now change the "Default" value's data to match our "fixed" control set, mine is ControlSet003 so my "Default" value's data will be changed to "3".

                I recommend that you familiarize your self with the NT startup process to get a better understanding of what we are doing here and why. A good source of reading to better understand how this all works can be found here at wikipedia in the "Loading Windows NT Kernel" section of this article:




               
                We can now delete C:\Windows\system32\consrv.dll. The next step is to handle the service, we will need to open up a notepad and take a look at our TDSSKiller window again. Copy the name of the service into the notepad and then copy that to your clipboard. Open up your registry editor and make sure that 'Computer' is selected in the left pane. Go to Edit > Find and paste the service that you just copied into the find box. Click 'find next' and you should arrive at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost


              We are looking for the service listed in the 'netsvcs' value. Find the line that contains the service and delete that line only. Then press the 'f3' key on your keyboard to continue the search. You should get either 1 or 2 more results. Once you find the service registry keys, delete the entire key. Press 'f3' until you see the message "Finished searching through the registry." Close the registry editor and reboot. Run a full scan with MalwareBytes' Anti-Malware to remove any remaining files.

A link to the html format of this video can be found here

Unzip the folder and launch the html file that is contained inside.
  



2 comments:

  1. Some time ago (around last year) I had the same nasty infection with 'consrv.dll' zeroaccess rootkit and I managed to successfully immunize my computer. But there is one exception to day still not fixed. This trojan somehow broke my .NET Framework v4 (only this version) and now I cannot use software that depends on it. They shows 'CLR error 80004005', then exit and all my effort to fix this have failed. Because I have a laptop with OEM installation of Windows 7, I cannot do a "repair install" to repair the OS, only a "clean install" which is "out of question" for me! Is there any way you can help me to fix this?

    Best regards, mYse|f.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete