Home / malware Virus:Win64/Sirefef.B
First posted on 08 August 2012.
Source: MicrosoftAliases :
Virus:Win64/Sirefef.B is also known as Virus.Win64.ZAccess.b (Kaspersky), ZAccess.KZJ (Norman), W32/Patched.UA (Avira), Win64/Patched.B.Gen trojan (ESET), Virus.Win64 (Ikarus), ZeroAccess.ds.gen.d (McAfee), Troj/ZAccInf-B (Sophos), Trojan.Patchep!sys (Symantec), PTCH_SIREFEF.PTC (Trend Micro).
Explanation :
Virus:Win64/Sirefef.B is a component of the Sirefef multi-platform rootkit. This component is detected as an infected "services.exe" Windows file. Sirefef is a multi-component malware family that modifies search results when you search for something on the Internet.
Installation
Virus:Win64/Sirefef.B is created by the multi-platform dropper Trojan:Win32/Sirefef.P. During infection, Trojan:Win32/Sirefef.P overwrites the "ScRegisterTCPEndpoint" function in "services.exe" with the Virus:Win64/Sirefef.B code.
When run, it creates the following hidden folders:
- %AppData%\{random GUID}
- %AppData%\{random GUID}\L
- %AppData%\{random GUID}\U
It also creates the following files within these hidden folders:
- %AppData%\{random GUID}\@
- %AppData%\{random GUID}\n
where GUID is a 32-digit hexadecimal number
Payload
Executes another Sirefef component
Virus:Win64/Sirefef.B transfers control to another component, hidden in the services.exe extended attribute. The component is detected as Trojan:Win64/Sirefef.Y.
Analysis by Sergey Chernyshev
Last update 08 August 2012
