Home / malwarePDF  

TrojanDropper:Win32/Sirefef.gen!A


First posted on 02 November 2012.
Source: Microsoft

Aliases :

TrojanDropper:Win32/Sirefef.gen!A is also known as Trojan.ADH.2 (Symantec), Trojan.Packed.22433 (Dr.Web), W32/Smalldrp.AYED (Norman).

Explanation :



TrojanDropper:Win32/Sirefef.gen!A is a trojan that is used to install Win32/Sirefef. It is distributed using exploits and social engineering tactics, where it is bundled with "keygens" and "cracks".

In a typical scenario, a user may choose to download what they think is a "keygen" or "crack" (a program the enables software piracy by bypassing licensing or activation requirements). However, TrojanDropper:Win32/Sirefef.gen!A is also included in the download and is installed on the user's computer - without their knowledge - alongside the keygen or crack.

Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. As a consequence of being infected with this threat, you may need to repair and reconfigure some Windows security features. Please see Additional remediation steps in this entry for more information.

When run, TrojanDropper:Win32/Sirefef.gen!A drops and loads the following files into a folder in the %TEMP% folder:

  • A file that may be detected as HackTool:Win32/Keygen
  • A Win32/Sirefef component that may download additional Win32/Sirefef components, such as Trojan:Win32/Sirefef.P


For example, in the wild we have observed the following file and folder names:

  • %TEMP%\nsf9.tmp\30018260a85ef7b9ea783d2efc273c2a1d1eb.exe - detected as Trojan:Win32/Sirefef.P
  • %TEMP%\nsf9.tmp\keygen.exe - detected as HackTool:Win32/Keygen
  • %TEMP%\nss9.tmp\300185e7ab4ffae8cf19e35b6a480e3465158.exe - detected as Trojan:Win32/Sirefef.P
  • %TEMP%\nss9.tmp\hxkds.exe - a renamed copy of "systray.exe", which is a legitimate Windows program


Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".

Related encyclopedia entries

Win32/Sirefef

Trojan:Win32/Sirefef.P

HackTool:Win32/Keygen



Analysis by Gilou Tenebro

Last update 02 November 2012

 

TOP