Home / malware Win32/Sefnit
First posted on 12 January 2012.
Source: MicrosoftAliases :
There are no other names known for Win32/Sefnit.
Explanation :
Win32/Sefnit is a trojan that may monitor Internet Explorer or Mozilla Firefox to hijack the search results for various search engines such as Bing, Yahoo! and Google.
Top
Win32/Sefnit is a trojan that may monitor Internet Explorer or Mozilla Firefox to hijack the search results for various search engines such as Bing, Yahoo! and Google.
Installation
Win32/Sefnit may arrive in the system as an executable and drop a DLL component using varied file and folder names, for example:
- %AppData%\handlereventinterval\mfcuserppm.dll
- %Temp%\Asynccrtmon.dll
It launches its dropped copies by running using "rundll32.exe":
rundll32.exe "%AppData%\HandlerEventInterval\mfcUserppm.dll",wmicfgSnap rasCommsspl
rundll32.exe "%Temp%\Asynccrtmon.dll", wmicfgSnap AppleapiClock
It modifies the registry so that its dropped copy automatically executes every time Windows starts, as in the following example:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "rundll32.exe "<malware path and location>",<export name> <parameter>"
For example:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "mfcUserppm"
With data: "rundll32.exe "%AppData%\handlereventinterval\mfcuserppm.dll",wmicfgsnap rascommsspl"
Payload
Hijacks search engine results
Win32/Sefnit may monitor Internet Explorer and Mozilla Firefox to hijack search the results for various search engines such as Bing, Yahoo! and Google.
Communicates with remote servers
Variants of Win32/Sefnit attempt to communicate with remote servers to send and receive data. In the wild, we have observed this malware to communicate with the following IP addresses for this purpose:
- 213.239.212.16
- 85.10.195.238
- 78.47.143.235
- 208.91.197.65
Analysis by Scott Molenkamp
Last update 12 January 2012
