Home / malware Trojan:Win64/Sirefef.P
First posted on 28 June 2012.
Source: MicrosoftAliases :
Trojan:Win64/Sirefef.P is also known as Trojan.Sirefef.FS (BitDefender), Win64/Sirefef.W (ESET), HEUR:Backdoor.Win64.Generic (Kaspersky), ZeroAccess (McAfee), Troj/Sirefef-AP (Sophos), TROJ_SIREFEF.RB (Trend Micro).
Explanation :
Trojan:Win64/Sirefef.P is user-mode component of the Sirefef malware family and runs on the 64-bit version of Windows. Sirefef is a multi-component family that performs different functions, such as downloading updates and additional Sirefef components, hiding existing Sirefef components or performing a payload. This malware moderates your Internet experience by changing search results, and generating pay-per-click advertising revenue for the malware controllers.
Installation
Trojan:Win64/Sirefef.P is installed and executed by other variants of Sirefef and may be present as a file named €œn€ or €œdesktop.ini". Please note that the file "desktop.ini" is the name of a legitimate Windows system file.
This component of Sirefef provides selected function calls for Win64/Sirefef to establish network connections.
Trojan:Win64/Sirefef.P executes another component of Sirefef, usually named one of the following:
- <system folder>\assembly\temp\U\80000064.@
- <system folder>\Installer\{GUID}\U\80000064.@
Payload
Intercepts Windows system calls
Trojan:Win64/Sirefef.P replaces the following system APIs with its own malicious instructions so that calls made to the original API will run the malicious code instead:
Trojan:Win64/Sirefef.P hooks the API "WSPStartup" to enable it to run. Additional information For more information about Win32/Sirefef, see the family description elsewhere in our encyclopedia.
- AcceptEx
- GetAcceptExSockaddrs
- Getnetbyname
- Inet_network
- NSPStartup
- TransmitFile
Analysis by Shali Hsieh
Last update 28 June 2012
