Home / malwarePDF  

Trojan:Win32/Sefnit.BY


First posted on 23 April 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Sefnit.BY.

Explanation :

Threat behavior

Installation

Trojan:Win32/Sefnit.BY installs itself into one of the following locations:

  • %APPDATA% \microsoft\applicationmanager\rundll32.dll
  • %APPDATA% \microsoft\applicationmanager\startup_module.dll
  • %APPDATA% \updater\updater.dll
  • %APPDATA% \updater\updater_task.dll
  • \dfrg\mst.exe
  • \dfrg\reg_util.exe
  • \dfrg\stub.exe
  • \dfrg\svc.exe
  • \themes.dll
  • \winthemes.dll
  • \winthemes_service.dll


Variants of this family can be installed by exploits, other malware or potentially unwanted software.

The trojan might register itself as a service with the name "Windows Themes" by modifying the registry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes\Enum
Sets value: "0"
With data: "Root\LEGACY_WINTHEMES\0000"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "ImagePath"
With data: "C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\winthemes_service.dll,init_service"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "DisplayName"
With data: "Windows Themes"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "ObjectName"
With data: "LocalSystem"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "Description"
With data: "Provides user experience theme management."

A C&C server may be communicated with to download and run additional files.

We have seen the threat try to communicate with the following servers:

  • gerrardinokelseysullivanudosk..com/cpu_32.zip
  • katherinemilestribonchi..com/cpu_32.zip
  • lambertfosterhumbertlombo..com/cpu_32.zip
  • wimariahlynchebiaonto..com/cpu_32.zip


We have also seen the threat try to communicate with the following servers using an outgoing SSH connection on port 443:

  • albfznc.su
  • dmzhor.com
  • gonjk.su
  • gxedw.net
  • metfsy.org
  • pubzat.com
  • ralwze.net
  • xapjy.org


Payload

Downloads other malware

The trojan connects to remote servers, known as command and control (C&C) servers. When connected, it tries to download data that tells it what files to download or actions to take.

Some of the C&C domains known to be used by this trojan include:

  • gerrardinokelseysullivanudosk..com/cpu_32.zip
  • katherinemilestribonchi..com/cpu_32.zip
  • lambertfosterhumbertlombo..com/cpu_32.zip
  • wimariahlynchebiaonto..com/cpu_32.zip


Uses your PC for click fraud

This variant uses your PC's internet connect to perform click fraud. The MMPC blog "Another way Microsoft is disrupting the malware ecosystem" explains what click fraud is and how malware can use your PC to do it.

We have seen Sefnit using the 3proxy service to proxy HTTP traffic to emulate a user browsing the Internet and clicking on advertisements.

Uses your PC for Litecoin mining

Some versions of this threat use your PC to mine Litecoins. Litecoin is a crypto currency similar to Bitcoins. Side effects may include slower computer performance, hardware degradation, and higher power consumption.

Additional information

This variant of Sefnit family is known to use SSH provided by PuTTY as its C&C communication channel. Outgoing SSH connections on port 443 to one of the following C&C servers is expected in some cases:

  • albfznc.su
  • dmzhor.com
  • gonjk.su
  • gxedw.net
  • metfsy.org
  • pubzat.com
  • ralwze.net
  • xapjy.org




Symptoms

The following could indicate that you have this threat on your PC:

  • You have some of these files:
    • %APPDATA% \microsoft\applicationmanager\rundll32.dll
    • %APPDATA% \microsoft\applicationmanager\startup_module.dll
    • %APPDATA% \updater\updater.dll
    • %APPDATA% \updater\updater_task.dll
    • \dfrg\mst.exe
    • \dfrg\reg_util.exe
    • \dfrg\stub.exe
    • \dfrg\svc.exe
    • \themes.dll
    • \winthemes.dll
    • \winthemes_service.dll
  • You may see an outgoing SSH connection from the PC using port 443.
  • Your computer performance may be slow due to Litecoin mining.
  • You see the service "Windows Themes" running.
  • You see this entry or key in your registry:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
    Sets value: "ImagePath"
    With data: "C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\winthemes_service.dll,init_service"

Last update 23 April 2014

 

TOP

Malware :

Family: