Home / malware Virus:Win64/Sirefef.A
First posted on 15 November 2012.
Source: MicrosoftAliases :
Virus:Win64/Sirefef.A is also known as PTCH64_SIREFEF.A (Trend Micro), W64/Sirefef.K (Command), Win-Trojan/Sirefef.329216.B (AhnLab).
Explanation :
Virus:Win64/Sirefef.A is a component of the Sirefef malware family. Sirefef modifies search results and generates pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing the main payload.
Virus:Win64/Sirefef.A launches an additional Sirefef component and is itself created by another Sirefef component, Trojan:Win32/Sirefef.P.
Installation
Trojan:Win32/Sirefef.P modifies the Windows system file "<system folder>\services.exe" with malicious code. This modified version of "services.exe" is detected as Virus:Win64/Sirefef.A.
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".
"Services.exe" is used by Windows during the normal operation of your computer; however, when Windows loads the file after it has been modified by Trojan:Win32/Sirefef.P, the following hidden files are created:
- %APPDATA%\{GUID}
- %APPDATA%\{GUID}\L
- %APPDATA%\{GUID}\U
The following files that are used by other components of a Sirefef infection are also created:
- %APPDATA%\{GUID}\@
- %APPDATA%\{GUID}\n
where {GUID} is a 32-digit hexadecimal number.
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".
Payload
Loads another Sirefef component
Virus:Win64/Sirefef.A loads Trojan:Win64/Sirefef.Y, a trojan that assists with the delivery of the Sirefef family's payload which moderates your Internet experience and uses your computer's resources to generate revenue for its authors.
For more information about Sirefef, please see the Win32/Sirefef family description.
Related encyclopedia entries
Win32/Sirefef
Trojan:Win32/Sirefef.P
Trojan:Win64/Sirefef.Y
Analysis by Sergey Chernyshev
Last update 15 November 2012
