ZeroAccess Virus Using Millions of PCs to Generate Revenue

ZeroAccess Virus Using Millions of PCs to Generate Revenue

By The Pit Crew

When asked why he robbed banks, the 1920s U.S. bank robber Willie Sutton is credited with delivering the singular: because that’s where the money is. Today the money is in clicks on web links. Each click on a link delivers a visitor to a web site, and each visitor to a web site is a potential customer. Todays online stores buy clicks, and todays Willie Sutton steals them.

Sophos’s James Wyke recently released details on the number of clicks one modern day Willie Sutton is stealing, and how 9M other peoples personal computers are used to do it.

How to steal $96K/day in clicks

The Zero Access virus makes $96K/day (USD) using a new version of the old self-dealing scam:

1. The scammer sets up a web site and publishes ads from one or more ad networks like Google, Microsoft, or Yahoo.

2. The ad networks pay the scammer a small fee for each click on an ad.

3. The scammer clicks on the ads on his own website.

Self-clicking is the essence of the scam.

It’s a lot of manual work to self-click on ads, so todays Willie Sutton writes software programs to do the self-clicking for him. But ad networks can tell if a software program running on a computer is self-clicking because too many clicks are coming from the same one computer. So Willie installs his self-clicking software on a huge number of other peoples personal computers without their permission and makes it really hard to get the program off. And that’s how a malware program is born, more popularly referred to as a virus.

This is the essence of the Zero Access virus. It’s a software program for self-clicking on scammers websites. The virus has infected over 9M peoples computers, with about 400K infections active at any point in time. Those approximately 400K actively running programs each self-click once an hour, 24 hours a day, at 0.01/click, to earn the scammer roughly 96K/day. Further, because it’s a software program, it can update itself to run other scams too, like mailing spam or stealing the credit card number of the computer’s owner.

How to Remove Zero Access

Once the Zero Access is installed on a computer, it’s very difficult for security programs to remove it as this video demonstrates. Zero Access disables a number of Windows security services and takes measures to hide itself from security programs or disable anti-virus software that tries to remove it. There are 1000s of websites and 100s of ways to tackle removing ZeroAccess, but they all boil down to these 4 types of solutions:

The “FREE” Way
There are published guides on how to use a combination of manual steps and freely available software tools to remove the ZeroAccess virus. Technical skill is required.

Free AntiVirus Scan and Removal Recommendations from Bob Rankin

Free AntiVirus Scan and Removal Recommendations from Leo Notenboom

The “PHONE” Way
There are businesses that you can call and they’ll log into your computer over the Internet and a technician will remove the ZeroAccess virus for a fee. Typically the technician follows one of the published guides with the combination of manual steps and freely available software tools.

The “STORE” Way
Most stores that sell computers also service computers, and will remove viruses like Zero Access for a fee.

The “Live USB\CD” Way
The United States Computer Emergency Readiness Team recommends cleaning an infected computer with a “trusted bootable USB”. If assembling a bootable USB with an anti-virus system set up on it is too technically difficult, there are solutions available like the FixMeStick that are easy to use.

 1,152 total views,  1 views today

(Visited 1 times, 1 visits today)

33 thoughts on “ZeroAccess Virus Using Millions of PCs to Generate Revenue”

  1. Esto es mas publicidad que nada. No hay informacion detallada del virus. Asi la hubiera… felicito al que lo hizo. No daña ninguno de los equipos infectados, solo los "presta" para que hagaln clik por el – ella. Felicitaciones, y… nada de nervios, use my pc y mire a ver si me manda algo de $$$$.

    1. @Merete: One telltale sign is when you click on Google search result, you are taken to a domain that has nothing to do with what you selected, and it’s all ads.

    1. @Mary Jo: We’ll be more specific next time for sure. We did think that categorizing all the different types of solutions into 4 categories would help people decide the best next steps for them.

  2. This article seems to be a commercial. It gives enough information to cause concern, then talks about solutions… but it subtly discourages the use of most as too difficult for the average user, or to expensive, or as giving your precious computer to strangers.

    The only solution it gives concrete information about is the one with the hyperlink in bright red letters, and for that one, it gives a recommendation from an official-sounding organization I’ve never heard of. And it’s a solution that charges a license fee of $60 a year, like most antivirus companies, except that you might not use it more than once or twice in that year — or at all. And the tech version is $300 every year!

    I’m disappointed with PC Pitstop for publishing this commercial advertisement that is thinly disguised as a real information article. They normally do much better.

  3. A similar device is required to remove the latest manifestation of Babylon search engine malware (otherwise impossible to remove – even if you religiously follow Babylon’s own removal instructions). It’s a real nasty and who the hell knows whatever else it is up to during its lodgement?

  4. Richard Waterbury

    I use this product never been touched 1.5yrs, Emmunize takes a new approach to virus protection. Instead of letting unknown programs run on your PC as long as they are not on a list of known viruses, Emmunize checks to see if they are on a white list of good programs. If the program isn't listed, Emmunize doesn't let the program execute. So what does that mean?

    Emmunize's "block everything unless its on your white list" approach stops not only the known viruses and threats to your PC, but the brand new ones out there that haven't made it to traditional antivirus' "bad list" yet. With Emmunize, you have a much higher level of protection than the other guys.

  5. Unix/Linux users: Haven’t heard of ZA infecting this OS, but it doesn’t mean it can’t in the future. It’s possible that a variant can be created for ANY operating system out there, but if the creator of such viruses will not gain much from than more than likely it won’t happen. It’s like an arsonist decideing if he wants to burn a few trees (MAC/Unix/Linux, or a forest full of trees (Windows). There is a tool called “TDSSKiller” from Kaspersky which you can run to see if you have ZA. Be sure to click on “Change Parameters” and check the “Detect TDLFS file system” option, then scan.

  6. This article tells me that some people have some mall-ware installed which could give problems to some other people.

    It does not tell me how to find out if I have it. It does not tell me how I should get rid of it if I have it.

    It is about as useful as writing “Sometimes bad things happen” – and about as informative.

  7. 1) Willie Sutton did not actually say this. His actual answer to the reporter was long and convoluted, and the reporter boiled it down to the “quote”
    2) If I understand correctly, the money is actually coming from Google or Yahoo, not the individual user. Since the scam does not actually affect me in any way, I have little interest in worrying about whether I have the virus or not in my computer. This is Google’s problem, not mine. Am I wrong?

    1. @David Maxwell: It’s only their problem untill the C&C server (command and control server) updates the malware to start looking at your bank details etc. Question is: do you really want software on your PC that gives others complete access to it??

    2. Yes, you are wrong. Very wrong!

      #1 Sutton robs a bank. You do not have money in that bank, so bank robbery is not your problem?

      #2 Google/Yahoo are theft victims. To cover the theft they raise prices. In the end you pay more. Not your problem?

      #3 If you are not part of the solution, then you are part of the problem.


  8. That’s good info, but how about sharing with your readers how to remove the virus the free way and the “ive USB Way.”

    That would be more beneficial, don’t you think?

  9. i have the same question as nancy above. you listed the virus, but did not give any indicators on telling if you have it or not. to the best of my knowledge my system is clean, and its not acting screwy, but. how do i KNOW its clean.

    1. I would suggest going to an online scanner like Trend Micros House call. Its more asp to find it then the scanner on your computer that the cirus is hiding from

  10. Please use correct English writing structures or get a copy reader to correct your errors.

    PS Show the reader some of the “Free Ways” B


    More aptly put, just a few more clicks, log into a popular untrusted 3rd-party social site, buy the software directly from the scammer, add to the number of click-throughs originating from a supposed ‘help’ article and leave postive feedback — ultimately “sharing” your virus with all your friends & family. Oh, wait… what have I done!?

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.