Here at SophosLabs we have previously written in great depth about the menace of the ZeroAccess malware family, exploring its nature and documenting the changes this malware family has gone through over time.
Guess what?
The authors have pushed out another update and this time they are using some interesting techniques to ensure reboot persistence.
The previous incarnation of the user-mode version of ZeroAccess stored its files in folders created in the Recycle Bin (usually C:\RECYCLER on XP or C:\$Recycle.Bin on Vista and later) to make them less obvious.
It also changed the Access Control List entries (ACLs) on the folders so that no user could read from or write to the files.
This time the files are dropped into a new location with the ACL trick again being used.
But the malware authors are also using the right-to-left override and several other non-printable Unicode characters in both file paths and registry entries to further hinder identification and removal of the ZeroAccess components.
Let me explain what this means.
The new ZeroAccess dropper copies itself to two locations: in the %Program Files% folder, and in the user's local AppData area.
Each copy is placed in a folder that looks as though it is part of a Google product, using non-printable Unicode characters that make it hard to spot on some versions of Windows.
On Vista and later, the folder name is such that we cannot browse to it using Explorer:
Read more: http://nakedsecurity.sophos.com/2013/07/31/zeroaccess-malware-revisited-new-version-yet-more-devious/
