Home / malware Trojan:Win64/Sirefef.W
First posted on 07 June 2012.
Source: MicrosoftAliases :
Trojan:Win64/Sirefef.W is also known as Win64/Sirefef.W (ESET), ZeroAccess.BX (AVG), Win64/Sirefef.AE (ESET), Trojan.Zeroaccess (Ikarus), ZeroAccess (McAfee), HEUR.Backdoor.Win64.Generic (Kaspersky), Troj/Sirefef-AQ (Sophos), Hacktool.Rootkit (Symantec).
Explanation :
Trojan:Win64/Sirefef.W is the 64-bit user-mode component of Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by modifying search results, and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing a payload.
Installation
Trojan:Win64/Sirefef.W is installed and executed by other variants of Win32/Sirefef and may have the file name "80000000.@".
It visits the website "googl.com" to check whether your computer can access the Internet, and uses a web-based location service ("promos.fling.com/geo/txt/city.php") to determine your computer's geographical location, specifically the name of the city.
Payload
Installs and executes arbitrary files
Trojan:Win64/Sirefef.W may have additional trojan components that it installs in your computer. They may be installed as a service with the file name "adserxvice.exe", and may be detected as Trojan:Win32/Sirefef.P or Trojan:Win32/Sirefef.AA.
Analysis by Shali Hsieh
Last update 07 June 2012
