Home / malware Trojan:Win64/Sirefef.Q
First posted on 24 May 2012.
Source: MicrosoftAliases :
Trojan:Win64/Sirefef.Q is also known as Zeroaccess (other), Trojan.Sirefef.BR (BitDefender), Win64/Sirefef.W trojan (ESET), Troj/ZAccess-AD (Sophos).
Explanation :
Trojan:Win64/Sirefef.Q is 64-bit user mode component of the Win32/Sirefef rootkit. Win32/Sirefef is a multi-component malware that changes Internet searches by displaying irrelevant results.
Installation
Trojan:Win64/Sirefef.Q is usually created by the Win32/Sirefef rootkit installer on 64-bit Windows systems, such as Trojan:Win32/Sirefef.P and Backdoor:Win32/Smadow. A 32-bit version is created by the same installer on 32-bit systems and is detected as Trojan:Win32/Sirefef.AA or Trojan:Win32/Sirefef.AC.
It may change the following registry entries:
In subkeys:
HKLM\SYSTEM\CurrentControlSet\services\.mrxsmb
HKLM\SYSTEM\CurrentControlSet\services\.afd
HKLM\SYSTEM\CurrentControlSet\services\.cdrom
HKLM\SYSTEM\CurrentControlSet\services\.serial
Sets value: "Type"
With data: "1"
Payload
Acts as a backup installer
Trojan:Win64/Sirefef.Q appears as a Windows service, that acts as a standby rootkit installer. The main payload of Trojan:Win64/Sirefef.Q is hidden within the extended attributes stream of the trojan file.
Modifies Internet search results
The main Win32/Sirefef payload is to change your Internet experience by modifying search results.
Analysis by Sergey Chernyshev
Last update 24 May 2012
