Home / malware Trojan:Win64/Sirefef.AA
First posted on 18 July 2012.
Source: MicrosoftAliases :
Trojan:Win64/Sirefef.AA is also known as Backdoor.Win32.ZAccess.tzm (Kaspersky), Win64/Sirefef.AN trojan (ESET), ZeroAccess (McAfee), Mal/ZAccess-CA (Sophos), TROJ_SIREFEF.UP (Trend Micro).
Explanation :
Trojan:Win64/Sirefef.AA is a user-mode component of the Sirefef malware family and runs on the 64-bit version of Windows. Sirefef is a multi-component family that performs different functions, such as downloading updates and additional Sirefef components, hiding existing Sirefef components or performing a payload. This malware moderates your Internet experience by changing search results, and generating pay-per-click advertising revenue for the malware controllers.
Installation
Trojan:Win64/Sirefef.AA is installed and executed by other variants of Sirefef and may have the file name "<numbers>.@", for example, "80000064.@".
It may create the mutex "Global\197A8FD4-6D77-4B12-814A-0875ECC1993B" to ensure that only one instance of itself is running.
Payload
Restarts the computer
Trojan:Win64/Sirefef.AA may turn the computer off, requiring you to manually turn it back on, by setting the power state to "POWER_STATE_CRITICAL". This is known as a "cold boot".
Redirects search results
Trojan:Win64/Sirefef.AA redirects results for searches conducted using the following websites:
- ask.com
- bing.com
- google.*
- search.icq.com
- search.yahoo.*
where * is any top level domain such as ".com", ".co.uk", or ".ca".
It may redirect seach results to certain domains, which may contain malicious content.
Additional information
For more information about Win32/Sirefef, read the family description here.
Analysis by Andrei Florin Saygo
Last update 18 July 2012
