Home / malware TrojanDropper:Win32/Sirefef.A!dll
First posted on 16 July 2013.
Source: MicrosoftAliases :
TrojanDropper:Win32/Sirefef.A!dll is also known as Trojan.Dropper.Kobcka.Gen.1 (BitDefender), Trojan.Crot (Dr.Web), Win32/Agent.QEG (ESET), Trojan.Win32.Sirefef (Ikarus), Trojan.Win32.Crot.bd (Kaspersky), Mal/Crot-A (Sophos), Trojan.Win32.Crot.i (Sunbelt Software), Trojan.Pandex (Symantec), Trojan.Crot.K (VirusBuster).
Explanation :
TrojanDropper:Win32/Sirefef.A!dll is a trojan component of Win32/Sirefef.A that installs a kernel-mode rootkit driver detected as Trojan:WinNT/Sirefef.A. The rootkit driver is used by Win32/Sirefef to protect files from being accessed and to map executable files into other processes. Installation TrojanDropper:Win32/Sirefef.A!dll is installed by TrojanDropper:Win32/Sirefef.A and may be present as the following: <system folder>\eventlog.dll Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. TrojanDropper:Win32/Sirefef.A!dll runs within the already running processes "smss.exe" and "winlogon.exe". Payload Installs Trojan:WinNT/Sirefef.A TrojanDropper:Win32/Sirefef.A!dll installs trojan components as Alternate Data Stream (ADS) files as in the following examples: %SystemRoot%\win32k.sys:1 %SystemRoot%\win32k.sys:2 The dropped components are then loaded into memory to protect Trojan:Win32/Sirefef.A and to map executable files into other processes. Additional InformationFor more information about Trojan:Win32/Sirefef.A, see the description elsewhere in the encyclopedia.
Analysis by Dan KurcLast update 16 July 2013
