Jump to content

Recommended Posts

Posted (edited)

Hello Guys,

my antivirus just discovered a trojan called Trojan: Win32 / Accessibility Escalation.A. Can you help me to remove it? I would be very thankful.

 

Edited by Sneaxi
  • Administrators
Posted

Are you positive that the detection came from ESET? It doesn't look like we have such detection. Please post a screenshot of the log file with the detection logged. Looks like it might have come from Defender. Anyways, you can submit the file in an archive encrypted with the password "infected" to samples[at]eset.com to determine if it should be detected or not.

Posted

So far only windows defender has detected it, but i think ESET will detect it soon too.

Posted (edited)
55 minutes ago, Sneaxi said:

Hello Guys,

my antivirus just discovered a trojan called Trojan: Win32 / Accessibility Escalation.A. Can you help me to remove it? I would be very thankful.

Based on Microsoft write up here: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/AccessibilityEscalation.A&ThreatID=-2147238315 , Microsoft Defender should have removed the malware.

Also this is an old detection dating to 2018.

Edited by itman
Posted (edited)

Also of note is what this type of malware is performing:

Quote

Windows Defender detects accessibility hijacks

In order to protect Windows from these types of attacks, Windows Defender will detect when IFEO keys are made to attach debuggers such as cmd.exe or taskmgr.exe to accessibility programs that are accessible from the lock screen. These detections will also occur when a user is on the lock screen so attackers can't configure them when Windows is offline.

These hijacks will be detected as Win32/AccessibilityEscalation and will cause Windows Defender to automatically remove the offending debugger from the Registry key. You can see an example of this type of detection below when I added the C:\Windows\System32\cmd.exe debugger to the sethc.exe IFEO key.

https://www.bleepingcomputer.com/news/security/windows-defender-can-detect-accessibility-tool-backdoors/

This should be easy enough to test on a system with Eset installed by writing a script to modify the registry. Also this is a behavior detection by WD. So Eset might not detect the activity.

I for one have created a HIPS rule to mointor for debugger modification of any subordinate entry for this registry key,  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.

Edited by itman
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...