Trojan.Zeroaccess.B may arrive on the compromised computer by exploiting a vulnerability.
When the Trojan executes on 32-bit computers, it overwrites a driver file that is located alphabetically between %System%\Drivers\classpnp.sys and %System%\Drivers\win32k.sys with the Trojan's own code.
On 64-bit computers, it creates the following folders if they do not exist:
It also creates the following file:
It also drops and loads the following file:
Next, it modifies the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\"Windows" = "consrv:ConServerDllInitialization"
It then creates an event with the following name:
It also stops a service named 'MpsSvc'.
Next, the Trojan downloads the following files through a peer-to-peer network:
The file %Windir%\assembly\tmp\U\80000000.@ send a HTTP request in a similar format to the following:
The file %Windir%\assembly\tmp\U\800000cb.@ checks to see if it is running in the csrss.exe process. If it is, it injects itself into the service.exe process. If it's not, it decompresses a file and injects itself into the svchost.exe process.
The file %Windir%\assembly\tmp\U\800000cf.@ checks if it is running in the cress.exe process. If it is, it injects itself into the process winlogin.exe. If it is not, it calls SetWinEventHook to inject itself into the following processes:
It then opens a back door by connecting to the following location:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":