Sneaxi 0 Posted November 6, 2021 Posted November 6, 2021 (edited) Hello Guys, my antivirus just discovered a trojan called Trojan: Win32 / Accessibility Escalation.A. Can you help me to remove it? I would be very thankful. Edited November 6, 2021 by Sneaxi
Administrators Marcos 5,408 Posted November 6, 2021 Administrators Posted November 6, 2021 Are you positive that the detection came from ESET? It doesn't look like we have such detection. Please post a screenshot of the log file with the detection logged. Looks like it might have come from Defender. Anyways, you can submit the file in an archive encrypted with the password "infected" to samples[at]eset.com to determine if it should be detected or not.
Sneaxi 0 Posted November 6, 2021 Author Posted November 6, 2021 So far only windows defender has detected it, but i think ESET will detect it soon too.
itman 1,790 Posted November 6, 2021 Posted November 6, 2021 (edited) 55 minutes ago, Sneaxi said: Hello Guys, my antivirus just discovered a trojan called Trojan: Win32 / Accessibility Escalation.A. Can you help me to remove it? I would be very thankful. Based on Microsoft write up here: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/AccessibilityEscalation.A&ThreatID=-2147238315 , Microsoft Defender should have removed the malware. Also this is an old detection dating to 2018. Edited November 6, 2021 by itman mallard65 1
itman 1,790 Posted November 6, 2021 Posted November 6, 2021 (edited) Also of note is what this type of malware is performing: Quote Windows Defender detects accessibility hijacks In order to protect Windows from these types of attacks, Windows Defender will detect when IFEO keys are made to attach debuggers such as cmd.exe or taskmgr.exe to accessibility programs that are accessible from the lock screen. These detections will also occur when a user is on the lock screen so attackers can't configure them when Windows is offline. These hijacks will be detected as Win32/AccessibilityEscalation and will cause Windows Defender to automatically remove the offending debugger from the Registry key. You can see an example of this type of detection below when I added the C:\Windows\System32\cmd.exe debugger to the sethc.exe IFEO key. https://www.bleepingcomputer.com/news/security/windows-defender-can-detect-accessibility-tool-backdoors/ This should be easy enough to test on a system with Eset installed by writing a script to modify the registry. Also this is a behavior detection by WD. So Eset might not detect the activity. I for one have created a HIPS rule to mointor for debugger modification of any subordinate entry for this registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Edited November 6, 2021 by itman
Recommended Posts