Tuesday, December 13, 2011

Zero Access Infection


Recently I encountered a threat that infected a client's computer.    The Client noticed that their Antivirus Program intervened and requested a reboot of the computer to finish the remediation.   Upon Rebooting the user was unable to log on.   Worse yet she had no mouse or keyboard.    Fearing the worst the user pushed the power button to shut down the computer; which responded normally and gracefully shutdown the computer.    Next she tried to get into Safe Mode by pressing f8.   Windows booted into safe mode but again no keyboard or mouse inputs it seemed.

I was able to verify the customers complaint.   Only I noted that system was still alive and I was able to PING it, which to me meant that it was still working.  I remotely accessed the machines registry and enabled remote access to the machine.    When attempting to connect remotely I discovered I did not have the local administrators account password.    After rebooting the computer with a bootable Password Recovery CD I recovered the four letter local administrator password in only 9 seconds.  

Using the recovered password I was able to remotely connect to the computer and was able to determine that the installed and updated Antivirus Software had clobbered the Windows XP PS/2 Driver (i8042prt.sys) used for both PS/2 keyboard and PS/2 Mouse Input.  

I booted from the Windows XP CD and using the repair console manually replaced the i8042prt.sys driver, however I was still unable to have the system use a PS/2 Keyboard or Mouse.    I found an unused USB Keyboard and began to work on the system running some additional virus removal tools.    One of the tools had identified an infection known as Zero Access.    After the tool completed the removal steps the system still did not work with the PS/2 Keyboard and Mouse but did work with the USB Keyboard.

I decided to run a repair install of windows to correct the issue.   The repair install soon reached the point in the setup process where it booted from the hard drive, and disturbingly again I had no PS/2 Mouse and no PS/2 keyboard access.    After a little research  and on a hunch, I aborted the repair install (knowing that it would resume upon reboot) and tried a decidedly different tactic.  

Most of the variants of the Zero Access Rootkit will infect the Master Boot Record of the hard drive which causes the machine to load part of the rootkit while the machine is still vulnerable and unprotected from viruses.    I booted the Windows Recovery Console from the CD and had windows replace the MBR and Boot Sector.

Next I crossed my fingers let windows reboot.  Next Windows setup continued the repair install and voila I now had access via the PS/2 Keyboard and PS/2 Mouse again and the Machine was fully remediated.

The Client was upset that the anti-virus program had disabled their computer, when they should have realized this was a fortunate circuit breaker.  Their real concern should have been that their system and all their activity was almost exposed to some unknown source.    Without the anti-virus program disabling this computer, every single input to the computer would be collected and redirected...and probably not for the forces of good.

Remain vigilant.



Dave Hendricks
System Engineer
Sierra Computer Group

5 comments:

  1. Do you think fixboot and fixmbr would work? I have a similar problem.

    ReplyDelete
  2. It works so long as the OS is windows xp. win7 and Vista have a whole separate boot process.

    Dave Hendricks

    ReplyDelete
  3. Interesting. I was infected with the same virus and nothing seemed to work to fix it. I was able to go into safe mode, but then system restore refused to work. Also Norton told me what the virus was and told me I had to remove it manually. I got their program but that would not work as it simply locked up up initiation. Eventually I had to reinstall windows but did it in a new folder and that allowed me to use my pc and I am slowly moving over programs form the original windows folder.

    What I would like to do is get do a system restore and fix the old windows files so that I can get my main area up and running. I forgot the administrator's password so I can't do that. Any suggestions? I may get a password find program and see it that works.

    ReplyDelete
  4. YMMV but A System Restore will not fix a Zero Access Infection: Reason being System Restore occurs after Zero Access has been loaded into Memory.

    Petter Nordahl makes just the tool to reset a forgotten Administrator password. The Offline NT Password & Registry Editor;
    which can be found here http://pogostick.net/~pnh/ntpasswd/ this tool works best to BLANK the Adminstrator Password.
    This tool can also unlock the administrator user if it was locked out due to excessive password failures.

    If you want to find out what the passsword is you can also try OphCrack avaiable on SourceForge here: http://ophcrack.sourceforge.net/
    This tool might show what the password is in case you forgot, but you don’t want to change it.

    Dave Hendricks

    ReplyDelete
  5. Anonymous:

    I did exactly what you did last month. I have a new windows version installed in a separate folder and have been using that. Like you I wish that there was a way to get in to my original windows setup, but I can't even boot in a safe mode. I am stuck in a loop. This is a nasty virus. I think a good tech person could go in to the original windows file and manually remove the virus and the associated registry files, but that seems to be a bit over my head at the moment. Good luck. I do not like this virus.

    ReplyDelete