Home / malwarePDF  

Trojan:Win64/Sirefef.P


First posted on 28 June 2012.
Source: Microsoft

Aliases :

Trojan:Win64/Sirefef.P is also known as Trojan.Sirefef.FS (BitDefender), Win64/Sirefef.W (ESET), HEUR:Backdoor.Win64.Generic (Kaspersky), ZeroAccess (McAfee), Troj/Sirefef-AP (Sophos), TROJ_SIREFEF.RB (Trend Micro).

Explanation :



Trojan:Win64/Sirefef.P is user-mode component of the Sirefef malware family and runs on the 64-bit version of Windows. Sirefef is a multi-component family that performs different functions, such as downloading updates and additional Sirefef components, hiding existing Sirefef components or performing a payload. This malware moderates your Internet experience by changing search results, and generating pay-per-click advertising revenue for the malware controllers.

Installation

Trojan:Win64/Sirefef.P is installed and executed by other variants of Sirefef and may be present as a file named €œn€ or €œdesktop.ini". Please note that the file "desktop.ini" is the name of a legitimate Windows system file.
This component of Sirefef provides selected function calls for Win64/Sirefef to establish network connections.

Trojan:Win64/Sirefef.P executes another component of Sirefef, usually named one of the following:

  • <system folder>\assembly\temp\U\80000064.@
  • <system folder>\Installer\{GUID}\U\80000064.@


Payload

Intercepts Windows system calls

Trojan:Win64/Sirefef.P replaces the following system APIs with its own malicious instructions so that calls made to the original API will run the malicious code instead:

  • AcceptEx
  • GetAcceptExSockaddrs
  • Getnetbyname
  • Inet_network
  • NSPStartup
  • TransmitFile
Trojan:Win64/Sirefef.P hooks the API "WSPStartup" to enable it to run. Additional information For more information about Win32/Sirefef, see the family description elsewhere in our encyclopedia.



Analysis by Shali Hsieh

Last update 28 June 2012

 

TOP