Home / malwarePDF  

Trojan:Win64/Sirefef.M


First posted on 09 February 2012.
Source: Microsoft

Aliases :

Trojan:Win64/Sirefef.M is also known as Backdoor/Win32.ZAccess (AhnLab), Backdoor.Win64.ZAccess.n (Kaspersky), BackDoor.Agent.AODS (AVG), TR/ATRAPS.Gen2 (Avira), BackDoor.Maxplus.23 (Dr.Web), Win32/Agent.FHYFVGX trojan (ESET), Backdoor.Win64 (Ikarus), Generic BackDoor!d2a (McAfee).

Explanation :

Trojan:Win64/Sirefef.M is the 64-bit user-mode component of Win32/Sirefef - a multi-component family of malware that moderates an affected user's Internet experience by modifying search results, and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing a payload.


Top

Trojan:Win64/Sirefef.M is the 64-bit user-mode component of Win32/Sirefef - a multi-component family of malware that moderates an affected user's Internet experience by modifying search results, and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing a payload.



Installation

Trojan:Win64/Sirefef.M is installed and executed by TrojanDropper:Win32/Sirefef.B.



Payload

Downloads and executes arbitrary files

The trojan may connect to a remote FTP server, generated in this format via HTTP POST, to retrieve and execute commands that could include the following actions:

  • Download arbitrary files or updated malware components
  • Execute retrieved files
  • Inject retrieved files into other processes


Generates fake traffic for certain websites

Some variants of Trojan:Win64/Sirefef.M generate fake traffic to the site visitor-counting service using the referrer "aelit<removed>sixfour.com".

It queries the server "counter.yadro.ru" with the following GET request every 900 seconds:

GET /hit?t52.6;rhttp://0;s320*200*32;u/0;0.<value based on current time> HTTP/1.1
Referer: <website being promoted>0
User-Agent: Opera/6 (Windows NT 5.00; U)

where &;lt;website being promoted> is the website that it generates fake traffic for.



Analysis by Marianne Mallen

Last update 09 February 2012

 

TOP