Home / malware Trojan:Win64/Sirefef.AB
First posted on 08 August 2012.
Source: MicrosoftAliases :
Trojan:Win64/Sirefef.AB is also known as Trojan/Win32.Zapchast (AhnLab), Trojan.Sirefef.HL (BitDefender), Mal/ZAccess-CA (Sophos), TROJ_SIREFEF.WM (Trend Micro).
Explanation :
Trojan:Win64/Sirefef.AB is a component of the Sirefef multi-platform rootkit. Sirefef is multi-component malware family that modifies search results when you search for something on the Internet and generates pay-per-click advertising revenue for its controllers. This particular component clicks on links supplied by a remote attacker to generate revenue.
Installation
Trojan:Win64/Sirefef.AB may be dropped by other malware, such as Trojan:Win32/Sirefef.P or Backdoor:Win32/Smadow.gen!B.
When run, it creates the following hidden folders:
- %AppData%\{random GUID}
- %AppData%\{random GUID}\L
- %AppData%\{random GUID}\U
It also creates the following files within these hidden folders:
- %AppData%\{random GUID}\@
- %AppData%\{random GUID}\n
Payload
Clicks on links to generate revenue for a remote operator
Trojan:Win64/Sirefef.AB runs the following HTTP GET query:
GET /<number>?w=<bot ID>&i=%u&v=2.2 HTTP/1.0
Host: <domain name>.cn
User-Agent:<default user agent>
where <number> is a random number, <bot ID> is an ID for your computer used by the Sirefef family, and <domain name> is calculated using a specific Sirefef domain name generation algorithm. The host changes on a daily basis. The script in the host generates clicks to certain links, which generate pay-per-click revenue.
Analysis by Sergey Chernyshev
Last update 08 August 2012
