This is not a complain but as General George S Patton said “ A good battle plan that you act on today can be better than a perfect one tomorrow”. If we can find a solution now it will help preventing a catastrophe
We have had major incidents of Trojan.Zeroaccess and Symantec was not able to remediate the problem. The product is working as per design and it is there where we have the problem
File Name: SERVICES.EXE.0.AVB
Sample Name: services.exe
SHA256: 9bb8671774e6ce60cc5b9e3c166bd1ee577a3f1cbb5b4957de595a53d5b461d0
Sample Submitted to Virustotal: Detection ratio of 29:42
https://www.virustotal.com/file/9bb8671774e6ce60cc5b9e3c166bd1ee577a3f1cbb5b4957de595a53d5b461d0/analysis/
Sample Submitted to Symantec Submission: Tracking No: 26187611
Sample Name: SERVICES.EXE.0.AVB
MD5: 50BEA589F7D7958BDD2528A8F69D05CC
Signature Protection Name: Trojan.Patchep!sys
Virus total says Symantec detects it as Trojan.Zeroaccess!inf4 where as the submission response says it as Trojan.Patchep!sys.
Popular Detection:
Kaspersky : Virus.Win64.ZAccess.a
McAfee : Generic.dx!bfnd
Microsoft : Virus:Win64/Sirefef.A
Symantec : Trojan.Zeroaccess!inf4
TrendMicro : PTCH64_SIREFEF.A
Microsoft:
Detects as a Sirefef. Which is a multi-component family of malware that uses stealth to hide its presence on an affected computer. It uses disk level hook to hide its own presence.
It attempts to modify the driver files and creates a special folder configured as a reparse point (a collection of user-defined data) in which to store additional malware components, as well as the original clean copy of the replaced driver.
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Sirefef
TrendMicro:
Detects as a Sirefef. Which is a new variant of a malware family now with user mode technique to stealthily load its malicious code instead of using regular rootkit techniques. The infection vector is normally a legitimate named patch or codec.
In injects itself into the Operating systems using DLL Search Order abuse.
http://blog.trendmicro.com/trendlabs-security-intelligence/zaccesssirefef-arrives-with-new-infection-technique
Symantec:
Detects as a file been infected with Trojan.Zeroaccess.C. is a Trojan horse that may download more malware and steal confidential information from the compromised computer. Drops files in user profile and infect SERVICES.EXE.
Trojan.Zeroaccess!inf4
http://www.symantec.com/security_response/writeup.jsp?docid=2012-080901-4610-99
Trojan.Zeroaccess.C
http://www.symantec.com/security_response/writeup.jsp?docid=2012-080900-3758-99
Culminating the analysis it is now evident that it is better to Re-image / Reinstall the OS on the infected computer as the core drivers are infected.
The question is when globally these many information is available why were we not protected till it reached the critical level of Re-Imaging. Services.exe or any of the core file which were infected and detected as Trojan.Zeroaccess!inf4 would not have got infected if Trojan.Zeroaccess.C was detected and remediated at the beginning.
We started to have detections of Trojan.Zeroaccess.B.
A Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, download more malware, and open a back door on the compromised computer.
Once infected it will attempt to injects itself into the Browser.
Trojan.Zeroaccess.B
http://www.symantec.com/security_response/writeup.jsp?docid=2011-122300-3915-99
When some of the major AV systems are pointing that this is a rootkit trait and which Symantec is also accepting. Yet why does Symantec detects this infection as a Spyware, which does not even have a clean option.
I feel unless this threat / variant / strain is detected as a Virus or something in the Macro / Non Macro (Which has a clean option) this strain will be at loose.
“All perceptions are flawed ‘cos The Man who perceive it is flawed”. Kindly fell free to add if I have missed out anything.