When Backdoor.ZAccess.aiu is executed, it performs the following activities:
After execution, Backdoor.ZAccess.aiu will replace a system driver (in the location %System%\drivers) with a copy of its rootkit driver. The Selection of what system driver to replace is done using an internal algorithm. Though it may avoid the following drivers: win32k.sys, ndis.sys. The rootkit will display the contents of the original system driver, presumably to hide its presence on the system.
Thirtyseven4 Antivirus detects the replaced file as RootKit.ZAccess.A
Backdoor.ZAccess.aiu will then create a hidden, encrypted volume that will be used to store the original system driver file that was replaced, as well as other component files used by it. The hidden volume has the following format inside the %Windir% directory:
It also creates a zero byte Alternate Data Stream file in %WINDIR%\{numbers_only_file} that will be silently executed and run in the background:
The Backdoor starts to create a hidden process <Randamnumbers:Randamnumbers.exe> (3174600136:930268994.exe)
This ADS is disguised as a normal file on the disk but whenever accessed it will trigger the rootkit protection routine.
Note : An ADS is an NTFS structure that allows more than one data stream to be associated with a file. These ADSs are accessed by a file name like filename.ext:adsname. Whenever the ADS file or the process in memory is accessed by a security tool, the rootkit kernel component will kill the process from the kernel.
Backdoors provide the author with remote-administration of the victim machines. They can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.
This Backdoor opens a back door by contacting a Command and Control server on port 22292 or 80. The IP address of the server may be one of the following:
