Jump to content

Trojan:Win32/Accessibility Escalation.A on my PC


Recommended Posts

Hello Guys,

my antivirus just discovered a trojan called Trojan: Win32 / Accessibility Escalation.A. Can you help me to remove it? I would be very thankful.

 

Edited by Sneaxi
Link to comment
Share on other sites

  • Administrators

Are you positive that the detection came from ESET? It doesn't look like we have such detection. Please post a screenshot of the log file with the detection logged. Looks like it might have come from Defender. Anyways, you can submit the file in an archive encrypted with the password "infected" to samples[at]eset.com to determine if it should be detected or not.

Link to comment
Share on other sites

55 minutes ago, Sneaxi said:

Hello Guys,

my antivirus just discovered a trojan called Trojan: Win32 / Accessibility Escalation.A. Can you help me to remove it? I would be very thankful.

Based on Microsoft write up here: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/AccessibilityEscalation.A&ThreatID=-2147238315 , Microsoft Defender should have removed the malware.

Also this is an old detection dating to 2018.

Edited by itman
Link to comment
Share on other sites

Also of note is what this type of malware is performing:

Quote

Windows Defender detects accessibility hijacks

In order to protect Windows from these types of attacks, Windows Defender will detect when IFEO keys are made to attach debuggers such as cmd.exe or taskmgr.exe to accessibility programs that are accessible from the lock screen. These detections will also occur when a user is on the lock screen so attackers can't configure them when Windows is offline.

These hijacks will be detected as Win32/AccessibilityEscalation and will cause Windows Defender to automatically remove the offending debugger from the Registry key. You can see an example of this type of detection below when I added the C:\Windows\System32\cmd.exe debugger to the sethc.exe IFEO key.

https://www.bleepingcomputer.com/news/security/windows-defender-can-detect-accessibility-tool-backdoors/

This should be easy enough to test on a system with Eset installed by writing a script to modify the registry. Also this is a behavior detection by WD. So Eset might not detect the activity.

I for one have created a HIPS rule to mointor for debugger modification of any subordinate entry for this registry key,  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...