1. Symantec/
  2. Security Response/
  3. Trojan.Zeroaccess


Risk Level 2: Low

July 13, 2011
November 29, 2013 11:16:11 AM
Infection Length:
Systems Affected:
CVE References:
CVE-2006-0003, CVE-2008-2992, CVE-2009-0927, CVE-2009-1671, CVE-2009-1672, CVE-2009-4324, CVE-2010-1885
Trojan.Zeroaccess is a Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, downloads more malware, and opens a back door on the compromised computer.

The Trojan is called ZeroAccess due to a string found in the kernel driver code that is pointing to the original project folder called ZeroAccess. It is also known as max++ as it creates a new kernel device object called __max++>.

This threat is distributed through several means. Some websites have been compromised, redirecting traffic to malicious websites that host Trojan.Zeroaccess and distribute it using the Blackhole Exploit Toolkit and the Bleeding Life Toolkit. This is the classic "drive-by download" scenario. It also updates itself through peer-to-peer networks, which makes it possible for the authors to improve it as well as potentially add new functionality.

The primary motivation of this threat is to make money through pay per click advertising. It does this by downloading an application that conducts Web searches and clicks on the results. This is known as click fraud, which is a highly lucrative business for malware creators.

The threat is also capable of downloading other threats on to the compromised computer, some of which may be Misleading Applications that display bogus information about threats found on the computer and scare the user into purchasing fake antivirus software to remove the bogus threats. It is also capable of downloading updates of itself to improve and/or fix functionality of the threat.

It is also know to download software onto compromised computers in order to mine bitcoins for the malware creators. Bitcoin mining with a single computer is a futile activity, but when it is performed by leveraging the combined processing power of a massive botnet, the sums that can be generated is considerable.

Furthermore, it opens a back door and connects to a command and control (C&C) server, which allows the remote attacker access to the compromised computer. The attacker is then able to perform any number of actions on the computer, and the computer may then become part of a wider botnet.

It is able to achieve the above functions silently as it infects a system driver that acts as a rootkit hiding all of its components on the computer. The threat creates an encrypted hidden volume in the computer's file system where it stores all of its components. Not only does it store all of its components in the hidden volume, it can also hide any other malicious software that it downloads onto the computer there as well.

Link to Backdoor.Tidserv
There is strong evidence to suggest that there are link between Trojan.Zeroaccess and another malware with advanced rootkit capabilities, Backdoor.Tidserv. But whether the creators of the two malware are the same or not is not known. It is possible that the same person created the code for both pieces of malware and sold them to different gangs on the black market. Alternatively, it is possible that the creators of Zeroaccess bought the Tidserv code and modified it for their purposes. What is certain, however, is that Zeroaccess actively searches for any trace of Tidserv on the computer and removes it if it finds it.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version July 13, 2011 revision 016
  • Latest Rapid Release version March 23, 2018 revision 035
  • Initial Daily Certified version July 13, 2011 revision 024
  • Latest Daily Certified version March 23, 2018 revision 003
  • Initial Weekly Certified release date July 13, 2011
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Jarrad Shearer

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube