Microsoft security software detects and removes this threat.

This family of malware uses stealth to hide its presence on your PC. Trojans in this family can do different things, including:

  • Downloading and running other files
  • Contacting remote hosts
  • Disabling security features

Members of the family can also change search results, which can generate money for the attackers who use Sirefef.

Variants of Win32/Sirefef may be installed by other malware, including variants of the Trojan:Win32/Necurs family.

For more information, please see the Win32/Sirefef family description.

What to do now

Win32/Sirefef is a dangerous threat that uses advanced stealth techniques to hinder its detection and removal. If you are infected with Sirefef, we recommend you take the following steps to remove it.

Download and run the Microsoft Safety Scanner

Before you begin you will need:

  • A PC that is not infected and is connected to the Internet. You will use this PC to download a copy of the Microsoft Safety Scanner
  • A blank CD, DVD or USB drive. You will use this CD, DVD or USB drive to run the Scanner on your infected PC
  1. Download a copy of the Microsoft Safety Scanner from a clean, uninfected PC
  2. Save a copy of the Scanner on a blank CD, DVD, or USB drive
  3. Restart the infected PC
  4. Insert the CD, DVD, or USB drive into your infected PC and run the Scanner
  5. Let the Scanner clean your PC and remove any infections it finds

After running the scanner, make sure your antivirus software is up-to-date. You can update Microsoft security software by downloading the latest definitions.

The following Microsoft products detect and remove this threat:

Note that as part of the cleaning, our software might change some Windows services back to their default settings. If you had previously changed these settings, you might need to change them again.

The services that are reset include:

  • BFE – Base Filtering Engine
  • Iphlsvc – IP helper Service
  • MSMpSvc – Microsoft Antimalware service – MSE/FEP/SCEP
  • Sharedaccess – Internet Connection Sharing
  • WinDefend – Microsoft Antimalware service
  • Wscsvc - Windows Security Center

Threat behavior


Trojan:Win32/Sirefef.AL is installed and run by other variants of Win32/Sirefef and may have the file name "800000cb.@".


Trojan:Win32/Sirefef.AL provides the function call "800000cb_2" for Win32/Sirefef.

This function is used to monitor and inject Win32/Sirefef into the system process "svchost.exe".

For more information, please see the Win32/Sirefef family entry elsewhere in our encyclopedia.

Analysis by Shali Hsieh


System changes

The following system changes may indicate the presence of this malware:

  • The presence of the file "800000cb.@"


Alert level: Severe
First detected by definition: 1.127.363.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: May 21, 2012
This entry was first published on: Jun 21, 2012
This entry was updated on: Sep 02, 2013

This threat is also detected as:
  • Rootkit.ZeroAccess.Gen.4 (VirusBuster)
  • Trojan.Sirefef.FZ (BitDefender)
  • Trojan.Win32.Sirefef (Ikarus)
  • Trojan.Win32.Zapchast.acao (Kaspersky)
  • (McAfee)
  • Troj/Sirefef-AZ (Sophos)
  • TROJ_SIREFEF.EM (Trend Micro)