ZeroAccess, or Sirefef, is a piece of malware that replaces some critical files belonging to the operating system and hooks some kernel structures to make itself invisible to both the OS and security software.
We have seen samples of the ZeroAccess dropper disguised as cracks and key generators for a wide range of applications, from Microsoft Office 2010 to porn downloaders or games. Once the user downloads and executes the infected crack or patch in an attempt to pirate a commercial application, the dropper silently installs the ZeroAccess rootkit by overwriting a random driver. It then stores its data in %SYSTEMROOT%system32config under a random name. Upon successful overwriting the legit driver, Rootkit.Sirefef will be executed at each boot, instead of the genuine driver. To further protect itself, it also infects a random executable file located in the system32 folder, which will reinfect the system, should the rootkit become inactive.
Iâ€™m not going to insist on the internal workings of Rootkit.Sirefef. Suffice to say that this piece of malware creates a harmless executable file that acts like a tripwire: whenever it is scanned by a security solution, the rootkit tries to kill the antivirus. Some AV products are unable to protect their processes against the killing routine and are inactivated, thus rendering the system vulnerable to other malware attacks.
Bitdefender customers are not vulnerable to Rootkit.Sirefef, as all security products in the Bitdefender family can detect and remove the e-threat. Computer users who are not protected by a Bitdefender antivirus can disinfect their computer in three simple steps:
1. Download the Rootkit.Sirefef free removal tool (the rootkit does not work in 64-bit operating systems);
2. Run the removal tool
3. Reboot the PC to complete the disinfection procedure.
The removal tool is provided courtesy of Bitdefender malware researchers Balazs Biro and Mihail Andronic.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.