Home / malware Virus:Win32/Sirefef.N
First posted on 17 January 2012.
Source: MicrosoftAliases :
Virus:Win32/Sirefef.N is also known as W32/FakeAlert.RL.gen!Eldorado (Command), Hider.OOW (AVG), Win32/Sirefef.DA (ESET), Rootkit.Win32.ZAccess (other), Zero Access (other), ZeroAccess.v (McAfee), Mal/EncPk-AAL (Sophos).
Explanation :
Virus:Win32/Sirefef.N is a detection for Windows system drivers that are modified to perform certain behaviors, such as downloading and executing arbitrary files. This malware is a component of Win32/Sirefef - a multi-component family of malware that moderates an affected user's Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing the payload.
Top
Virus:Win32/Sirefef.N is a detection for Windows system drivers that are modified to perform certain behaviors, such as downloading and executing arbitrary files. This malware is a component of Win32/Sirefef - a multi-component family of malware that moderates an affected user's Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing the payload.
Installation
Virus:Win32/Sirefef.N is installed by other variants of Win32/Sirefef and is present as a modified Windows system driver file, as in the following example files:
- %windir%\System32\mrxsmb.sys
- %windir%\System32\ipsec.sys
Virus:Win32/Sirefef.N is used by other malware, usually components of Win32/Sirefef or other rootkits, to prevent its files from being accessed and to map executable files into other processes.
Payload
Communicates with a remote server
Virus:Win32/Sirefef.N communicates with a remote server and is capable of downloading and executing files from certain websites.
Analysis by Edgardo Diaz
Last update 17 January 2012