Home / malware Trojan:Win32/Sefnit.AU
First posted on 19 September 2013.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Sefnit.AU.
Explanation :
Threat behavior
Installation
Variants of this family can be installed by other malware or potentially unwanted software.
We have seen this variant call itself "Adobe Flash Player Update Service" by "Adobe Systems Incorporated", and use the file name FlashPlayerUpdateService.exe.
It copies itself to the following locations:
- <system folder>
- <system folder>\Macromed\Flash\
Additionally, on a 64-bit Windows operating system it will also create copies of itself in:
- %windir% \SysWOW64\
- %windir% \SysWOW64\Macromed\Flash\
It creates the following jobs so it is run on a scheduled basis:
- %windir% \Tasks\AdobeFlashPlayerUpdate 2.job
- %windir% \Tasks\AdobeFlashPlayerUpdate.job
It adds itself as a service under the display name "Adobe Flash Player Update Service" by making the following registry changes:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "0"
With data: "Root\LEGACY_ADOBEFLASHPLAYERUPDATESVC\0000"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "Count"
With data: "0x00000001"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "NextInstance"
With data: "0x00000001"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Security
Sets value: "Security"
With data: "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "Type"
With data: "0x00000020"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "Count"
With data: "0x00000001"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "ErrorControl"
With data: "0x00000001"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "ImagePath"
With data: "<system folder>\Macromed\Flash\FlashPlayerUpdateService.exe"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "DisplayName"
With data: "Adobe Flash Player Update Service"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "ObjectName"
With data: "LocalSystem"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "FailureActions"
With data: "FF FF FF FF 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 30 75 00 00"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "Description"
With data: "This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes."
Payload
Downloads malware
The trojan connects to remote servers, known as command and control (C&C) servers. When connected, it attempts to download data that it decrypts into an XML file, which specifies what further files to download or actions to take.
Some of the C&C domains known to be used by this trojan include:
- srvupd.com
- srvupd.net
- svcupd.net
- updsrv.net
- updsvc.com
- updsvc.net
These C&C servers will be contacted periodically via a standard HTTP GET command, for example HTTP GET http://updsvc.net/<removed>/3f76764a34f81e63df90b61f65b31d75/2.
We have seen the trojan download and run the following files, among others:
- http://jameslipon.no-ip.biz/<removed>/tc.c1
- http://kimberlybroher.no-ip.biz/<removed>/tc.c1
- http://olivasonny.no-ip.biz/<removed>/tc.c1
- http://patricevaillancourt.sytes.net/<removed>/tc.c1
- http://timothymahoney.ddns.me.uk/<removed>/tc.c1
These downloaded files are detected as other variants of the Trojan:Win32/Mevade family, such as Trojan:Win32/Mevade.B and Trojan:Win32/Mevade.gen!, which then spread through the eMule sharing program.
Additional information
The Trojan:Win32/Mevade family is known to use Tor or Secure Shell (SSH) provided by PuTTY as its C&C communication channels.
Running files downloaded from peer-to-peer networks such as eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.
Analysis by Geoff McDonald
Symptoms
You may notice sluggish computer performance, large bandwidth usage, and slow Internet performance.
Last update 19 September 2013