Threat Database Rootkits Rootkit.0access.H


By Domesticus in Rootkits

The Rootkit.0access.H rootkit, a variant of ZeroAccess, is an advanced rootkit component of the ZeroAccess Trojan. Its main goal is to create an alternate file system within a computer system, which can then be used to protect other malware. Rootkit.0access.H also has the ability to disable security applications, connect to a remote server and open up a backdoor into the victim's computer system.

Common Sources of a Rootkit.0access.H Infection

According to ESG security analysts, Rootkit.0access.H is usually distributed by attack websites using either the BlackHole Exploit Kit or the Bleeding Life Toolkit. Computer users are directed to attack websites designed to deliver Rootkit.0access.H through social engineering scams, such as fraudulent emails, instant messages, or disguised file downloads. Rootkit.0access.H also has a pervasive presence on many peer-to-peer file sharing networks.

The Main Purpose of the Rootkit.0access.H Threat

Criminals will typically use Rootkit.0access.H to profit from PPC (Pay Per Click) advertising schemes. To do this, the Rootkit.0access.H rootkit is used to protect the Google Redirect Virus, a Trojan component that hijacks the victim's browser, forcing it to visit malicious websites. This can be quite lucrative for the criminals behind this illegal practice. Rootkit.0access.H and ZeroAccess have also been linked to fake security programs which, after being installed on the victim's computer, will try to convince the victim to purchase a bogus security program.

Rootkit.0access.H is Also Linked to a Large Botnet

Rootkit.0access.H opens a backdoor into the victim's computer. Through this backdoor, criminals can send information into the victim's computer or take information out of it without being detected. Using this security hole, Rootkit.0access.H connects to a remote server, allowing a criminal to integrate the infected computer system into a large botnet. Through this botnet, criminals can use the infected computer to carry out DdoS (Distributed Denial of Service) attacks or to send out spam email.

How Rootkit.0access.H Carries Out Its Harmful Work

Rootkit.0access.H and malware related to Rootkit.0access.H infects a system driver which is usually bypassed by anti-virus software in order to maintain the computer system's stability. Using this corrupted driver, Rootkit.0access.H can create a hidden file system where Rootkit.0access.H can effectively hide itself and other malware. Because of this characteristic, ESG security analysts recommend using a specialized rootkit removal tool in order to deal with a Rootkit.0access.H infection. Most regular anti-virus software without anti-rootkit technology will not be able to detect or remove Rootkit.0access.H without some help from a specialized application.

File System Details

Rootkit.0access.H may create the following file(s):
# File Name Detections
1. %Windows%\System32\NCUSBw32.dll
2. %Windows%\System32\lxbu_device.dll
3. %Windows%\System32\avidstartup.dll
4. %Windows%\System32\drivers\[RANDOM_CHARACTERS].sys
5. %Windows%\System32\[RANDOM_NAME].dll
6. %Windows%\System32\p1131vid.dll
7. %Windows%\System32\tb2launch.dll
8. %Windows%\System32\wdica.dll
9. %Windows%\System32\amdk8.dll
10. %Windows%\System32\o2flash.dll
11. %Windows%\System32\mail2ec.dll

Registry Details

Rootkit.0access.H may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'


Most Viewed