There are a number of posts indicating issues cleaning FakeAV and ZeroAccess infections. Please understand these are not cause all by the same file, but rather variants of a particular family of malware.
From some of the Artemis detections mentioned thus far, it's clear that we have some very new strains of FakeAV.
It's important that we remove the FakeAV, DNSChanger infections, before we attempt to remove ZeroAccess.
We've seen FakeAV bring in a number of other pieces of malware, including the most technically advanced rootkit known at this time, ZeroAccess (MAX++). Cleaning this is no trivial process, and as you all have outlined, our cleaner for ZeroAccess is limited to 32bit for now, but will be updated ASAP. However, we do not have to wait for this.
There are several steps we have to progress through, to get your systems cleaned up. It's not easy, and it will take time, but for those that persevere, it will avoid a re-image of your system.
Informative tidbits:
- The detection Artemis!56C9EF26F88B is now called "DNSChanger!fa", in DAT 6489. There are a few hash specific VILs, like this one in the Threat Intelligence site.
- The detection Artemis!8E57E8B69F2, seems to be a character short, so I'm not able to pull any info about it.
- Information about ZeroAccess, can be found HERE. The instructions should work for 32bit as well as 64bit.
- Seeing these Artemis detections, tells us that these are VERY new variants of known malware families. This means there could very well be completely undetected variants as well. As hard as we work to collect samples, no AV vendor, including McAfee, is able to detect 100%. With that said, we need your help submitting undetected malware, so we can prevent reinfections not only for you, but other users as well.
For the below steps, it's helpful to have a USB drive, with these tools on it:
- GMER, available HERE
- GetSusp, available HERE
- Latest BETA dats, available HERE
- Latest build of Stinger, available HERE for FakeAV version, and HERE for normal weekly version.
- Copy of Sigcheck, available HERE.
- A clean installer of your currently installed McAfee product.
Also, it's a good idea to have a copy of CleanBoot burned to CD, in case our efforts in SafeMode are not successful. Available HERE.
First, we must remove any companion malware, to allow the RootkitRemover to work. (malware that could be dropping the ZeroAccess rootkit, and also terminating scanning tools)
Booting to a CD is the best way, to ensure that malware is not loaded into memory, and making detection most challenging. However, let's see if we can tackle it strictly from SafeMode, as it's far more user friendly.
1. Reboot into SafeMode.
2. Run "MSCONFIG" (click Start>Run) On the General tab, select the third option "Selective Startup", then uncheck the box "Load Startup Items"
3. Reboot into normal mode.
4. Run RootkitRemover, and ensure it detects and cleans.
a. If you are on a 64bit system, skip down "64bit O.S.".
5. If it detects ZeroAccess, then reboot and run a full scan of the system first using the Stinger(s), and then your local McAfee product. Often, the permissions on the McAfee folder is modified by the malware, and requires manually correcting it:
- Right-click the parent folder of the affected files and choose Properties.
- In the window that opens, chose the Security Tab.
- Click in Advanced.
- There will be two checkboxes below the list of permissions. If the checkbox for Inherit Parents Permissions is checked, uncheck it.
- Check the Inherit box again to inherit permissions from the parent folder.
- Check the box to copy permissions to children objects. This will replace the permissions that were removed by the malware.
6. You should now repair/reinstall your AV product, update your dats, and run a full system scan.
7. If further detections are made, you should now be able to revert the steps we make in #2, by doing the following:
- Run "MSCONFIG" (click Start>Run) On the General tab, select the third option "Selective Startup", then check the box "Load Startup Items"
- Reboot.
8. If no further detections are found, but you still have malicious behavior, then there could still be malware on the system, and it will require additional work to identify. Using Getsusp is a good first step in identifying undetected malware. Using the Virus Removal Service, might be a reasonable next step, but feel free to post back here first.
64bit O.S.: - For 64bit systems, we need to manually repair the infected .sys file. (Steps taken from the VIL available for ZeroAccess.a)
Manual Remediation steps:
The malicious code is loaded by the patched system driver. In order to clean the system manually, it is necessary to identify the malicious .SYS file and replace it with a good copy from installation media.
In order to identify which system driver was replaced, the user is going to need the following tool:
GMER: http://www.gmer.net/
1.First of all, the machine must be disconnected from the internet to avoid reinfection in case any other malware is downloading and installing ZeroAccess or other pieces of malware.
2.Execute GMER, and uncheck these four options "Modules, Processes, Threads, Files"
http://vil.nai.com/images/562354_1.png
3.Then right click in the main window, and select "Options", then enable "IRP Hooks"
4.Start the rootkit scan and wait for it to finish.
5.If the system is infected, GMER will show the name of the patched .SYS file as shown in the YELLOW circle above. Take note of this name.
6.Look at the following folder and search for a file with same name as noted above: %SYSTEMROOT%\ServicePackFiles\i386
7.If there is a copy of the file in the folder above, copy it to the root of drive C:. It will be needed later.
8.If the file is not present in the folder above, it will be necessary to copy the file from an installation media, or another machine with the same Windows version and language.
9.Boot the infected machine with a clean boot media like McAfee CleanBoot, BartPE or Hiren's Boot CD.
10.From the clean boot, copy the file stored in the root folder that was copied above, to the location of the patched system driver.
ex: copy c:\mrxsmb.sys c:\windows\system32\drivers\mrxsmb.sys
11.Reboot the system in safe mode and log in as the Administrator user.
12.Execute the CSSCAN command line tool using the Beta DATs to remove any Trojan or infected file from the system:
a. VSE 8.7: "C:\Program Files\McAfee\VirusScan Enterprise\csscan.exe" -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\
b. VSE 8.8: C:\Program Files\Common Files\McAfee\SystemCore\csscan.exe -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\
c. Other McAfee product users: Please use the following standalone tool Stinger
In order to use the Stinger tool, please make sure the targets "Processes" and "Registry" are disabled and the interface "List of all files scanned" is enabled in the stinger before scanning the infected machine.
http://vil.nai.com/images/562354_4.png
13.Reboot the system normally.
14.Run GMER again to confirm that no malicious threads of patched files exist anymore.
I'll evolve this post with your constructive feedback, and work to make it as effective as possible. As with many malware infections, they can be unpredictable, and in some cases require the direct intervention of a malware expert. In such cases, we recommend you reach out to support to ensure your system is cleaned properly.
David Meier
Lead Field Engineer - McAfee Labs
