ZeroAccess, also known as max++ and Sirefef is a rootkit that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine and to form a botnet mostly involved in Bitcoin mining and click fraud, while remaining hidden on a system using rootkit techniques.


This variant of ZeroAccess will infect Services.EXE, a critical operating system file. This variant is also a browser-redirector, redirecting to sites such as Stopzilla and other adware links. It will drop the following items to "C:\Windows\Installer\{d3886955-9395-1032-8b62-ad0753710459}"

  • L folder
  • U folder
  • @.sys
  • N.sys

It will also drop copies of the file into AppData.


  • Trojan.Zeroaccess (Symantec)
  • Trojan:Win32/Sirefef (MSE)
  • Win32/ZeroAccess (AVG)
  • BKDIR_ZEROACCESS (Trend Micro)
Community content is available under CC-BY-SA unless otherwise noted.