Home / malwarePDF  

Trojan:Win64/Sirefef.K


First posted on 10 January 2012.
Source: Microsoft

Aliases :

Trojan:Win64/Sirefef.K is also known as BackDoor.Maxplus.612 (Dr.Web), Win64/Sirefef.O (ESET), TROJ_SIREFEF.GZ (Trend Micro).

Explanation :

Trojan:Win64/Sirefef.K is the 64-bit user-mode component of Win32/Sirefef - a multi-component family of malware that moderates an affected user's Internet experience by modifying search results, and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing a payload.


Top

Trojan:Win64/Sirefef.K is the 64-bit user-mode component of Win32/Sirefef - a multi-component family of malware that moderates an affected user's Internet experience by modifying search results, and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing a payload.



Installation

Trojan:Win64/Sirefef.K is installed and executed by other variants of Win32/Sirefef and may be present as a file named "800000cf.@".



Payload

Communicates with remote servers
Trojan:Win64/Sirefef.K generates traffic and communicates with certain websites without user knowledge. The trojan sends specially crafted HTTP GET requests to a remote server as in the following examples:

  • <remote server>/p/task2.php?w=<data string>&i=<data string>&n=<data string>
  • <remote server>/new/links.php?w=<data string>&n=<data string>


Each request contains an identifier taken from the affected computer and <remote server> is a remote server whose name is calculated based on the current calendar date. Trojan:Win64/Sirefef.K may respond with different actions depending on the response from the malicious web server, such as redirect the browser to certain websites or other actions.



Analysis by Jireh Sanico

Last update 10 January 2012

 

TOP