ZeroAccess / Max++ Rootkit New Variants

New variant of Zero access malware is now available, this Trojan horse that has rootkit behavior and can create a hidden file system. It may also open a back door on the compromised computer. Uploading the malware to virus total found that only 11/44 antivirus has detected the malicious software the second upload is 13/43.

ZeroAccess rootkit has been firstly identified back in 2009 and when this rootkit had been discovered in the wild. It was the time of MBR rootkit and TDL2 rootkit while on the TDL we are currently at the fourth version. when security researchers came across a new, previously unknown, rootkit able to kill most of security software as soon as they tried to scan specified folders in the system.

ZeroAccess was creating a new kernel device object called __max++> , this is the reason why the rootkit has quickly become known in the security field as the max++ rootkit, also known as ZeroAccess due to a string found in the kernel driver code, presumably pointing to the original project folder called ZeroAccess (f:\VC5\release\ZeroAccess.pdb).

By analyzing the malware technically we found the following:

  1. The malware start to create a hidden process called 3439254774
  2. It adds an executable file to %Windir%\3439254774:153289011.exe where %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
  3. The Trojan then creates the following registry entries to prevent access to certain services through the registry:
    1. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\f6dcfecc]  Type = 0x00000001  Start = 0x00000003    ImagePath = “\systemroot\3439254774:153289011.exe”

The Trojan opens a back door by contacting a Command and Control server on port 22292 or 80. The IP address of the server may be one of the following:


Than Trojan may send requests to the following URL:

To protect yourself against any threat I recommend following the Ten steps to protect Microsoft based system.