Trojan horse – Zeroaccess

Posted: October 10, 2012 in Encyclopedia viruses
Tags: , ,

Malware Trojan HorseVirus: Trojan horse – Zeroaccess

Type:   Trojan
Distribution Level: Low
Systems Affected:  Windows Me/95/98/2000/NT/XP/Server 2003/Vista/7/Server 2008/

Trojan.Zeroaccess is a Trojan horse that uses an advanced rootkit to hide itself. The Trojan is called ZeroAccess due to a string found in the kernel driver code that is pointing to the original project folder called ZeroAccess. It is also known as max++ as it creates a new kernel device object called __max++>. It can also create a hidden file system, downloads more malware, and opens a back door on the compromised computer.

Functionality. The primary motivation of this threat is to make money through pay per click advertising. It does this by downloading an application that conducts Web searches and clicks on the results. This is known as click fraud, which is a very lucrative business for malware creators.

Infection. This threat is distributed through several means. Some websites have been compromised, redirecting traffic to malicious websites that host Trojan.Zeroaccess and distribute it using the Blackhole Exploit Toolkit and the Bleeding Life Toolkit.

The threat is also capable of downloading other threats on to the compromised computer, some of which may be Misleading Applications that display bogus information about threats found on the computer and scare the user into purchasing fake antivirus software to remove the bogus threats.

Furthermore, it opens a back door and connects to a command and control (C&C) server, which allows the remote attacker access to the compromised computer. The computer may then become part of a wider botnet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s