Home / malwarePDF  

Trojan:Win32/Sefnit.AJ


First posted on 30 December 2011.
Source: Microsoft

Aliases :

Trojan:Win32/Sefnit.AJ is also known as Win32/Sefnit.CD trojan (ESET), Trojan.Win32.Sefnit.sxd (Kaspersky), Sefnit.d (McAfee), Troj/Sefnit-AD (Sophos), Trojan.Sefnit (Symantec), TROJ_SPNR.16LB11 (Trend Micro).

Explanation :

Trojan:Win32/Sefnit.AJ is a trojan that may monitor Internet Explorer or Mozilla Firefox to hijack the search results for various search engines.


Top

Trojan:Win32/Sefnit.AJ is a trojan that may monitor Internet Explorer or Mozilla Firefox to hijack the search results for various search engines.



Installation

Trojan:Win32/Sefnit.AJ may arrive in the system as an executable and drop DLL components using random file and folder names. Its dropped components have file names usually composed of 2 or more concatenated words and have the following format:

  • %AppData%\<random folder name>\<random file name>.dll
  • %Temp%\<random file name>.dll


For example:

  • %AppData%\handlereventinterval\mfcuserppm.dll
  • %Temp%\Asynccrtmon.dll


It launches its dropped copies by running the following commands:

rundll32.exe "%AppData%\<random folder name>\<random file name>.dll",wmicfgSnap rasCommsspl
rundll32.exe "%Temp%\<random file name>.dll", wmicfgSnap AppleapiClock

For example:

rundll32.exe "%AppData%\HandlerEventInterval\mfcUserppm.dll",wmicfgSnap rasCommsspl
rundll32.exe "%Temp%\Asynccrtmon.dll", wmicfgSnap AppleapiClock

It creates registry entries so that its dropped copy automatically executes every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random file name>"
With data: "rundll32.exe "<malware path and location>",<random export module name> <random parameter>"

For example:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "mfcUserppm"
With data: "rundll32.exe "%appdata%\handlereventinterval\mfcuserppm.dll",wmicfgsnap rascommsspl"



Payload

Hijacks search engine results

Trojan:Win32/Sefnit.AJ may monitor Internet Explorer and Mozilla Firefox to hijack search results from search engines such as Google to display arbitrary results.



Analysis by Elda Dimakiling

Last update 30 December 2011

 

TOP

Malware :

Family: