The latest variant of infamous Zeroaccess Trojan makes use of a new Technique to store its malicious content. The Trojan exploits a feature provided by the NT File System called Extended Attributes (EA).
"Trojan.Zeroaccess.C uses ZwSetEaFile to write the malicious payload into the EA data of the file %System%\services.exe and ZwQueryEaFile respectively to retrieve and execute it. The threat patches the code to read and execute the EA data directly into the services.exe file by overwriting a portion of the original initialization code" Symantec researcher said.
Researcher says that the infected system file—services.exe—cannot be repaired automatically with the information provided by the file alone because a portion of its original code has been permanently overwritten by the threat. So users have to restore the file manually from a clean backup.
Restoring the file is very easy for the Windows Vista and later version users because it allows users to restore the file to a previous version by right-clicking on the file and selecting Restore previous versions.
"As with other NTFS features, accessing the EA requires a specialized API and usually malware writers employ these techniques in the hope that antivirus products do not support them. This results in the payload remaining functional for longer periods of time." researcher wrote.
"As far as Trojan.Zeroaccess.C is concerned, making use of EA marks a new point in its struggle to diversify. This new version does not include the rootkit component anymore, and it infects both x86 (32-bit) and x64 (64-bit) versions of the services.exe file."
