Home / malware Trojan:WinNT/Sirefef.H
First posted on 13 September 2011.
Source: SecurityHomeAliases :
Trojan:WinNT/Sirefef.H is also known as Backdoor/Win32.ZAccess (AhnLab), Rootkit.Win32.ZAccess.e (Kaspersky), Mal/TDSSPack-A (Sophos).
Explanation :
Trojan:WinNT/Sirefef.H is a trojan that could intercept network traffic or inject code into other processes. It is installed by other malware such as TrojanDropper:Win32/Sirefef.B.
Top
Trojan:WinNT/Sirefef.H is a trojan that could intercept network traffic or inject code into other processes.
Installation
This trojan is installed by other malware such as TrojanDropper:Win32/Sirefef.B, a trojan dropper. In the wild, the trojan dropper may be distributed as executable files with enticing names, as in the following examples:
- xxx-HD-movie.avi.exe
- Serial-Hardware_Helper_1_0.45303.exe
- Crack.Dream.Audio.Converter.Ul.exe
- Keygen.All.My.Books.2.2.Build.1126.exe
- Keygen.Speed.Connect.Internet.Accelerator.8.0.Portable.exe
When Trojan:WinNT/Sirefef.H executes, it creates a device as "\\??\\ACPI#PNP0303#2&da1a3ff&0\\U\\$<random 8 digits>" and injects trojan DLL code into the process €˜services.exe€™. The injected DLL code installs another trojan component into an Alternate Data Stream as the following:
%SystemRoot%\%u:%u , where "%u" is a value computed from hard disk drive information (volume creation time)
Both the DLL and EXE file may be detected as Trojan:Win32/Sirefef.H.
WinNT/Sirefef.H communicates with the following time servers:
- ntp2.usno.navy.mil
- ntp.adc.am
- tock.usask.ca
- ntp.crifo.org
- ntp1.arnes.si
- ntp.ucsd.edu
- ntp.duckcorp.org
- wwv.nist.gov
- clock.isc.org
- time.windows.com
- time2.one4vision.de
- time.cerias.purdue.edu
- clock.fihn.net
Payload
Intercepts network traffic
This trojan has functionality to perform the following actions:
- intercept network packets
- provide network functionality and communicate over TCP and UDP
- write memory of any process etc.
Analysis by Shawn Wang
Last update 13 September 2011
