Microsoft security software detects and removes this threat.

It uses your PC to do click fraud. It does this in the background, so you may not notice anything unusual.

If this threat is detected on your PC, it's likely you're infected with other malware from the Win32/Sefnit family. This malware family can give a malicious hacker access to your PC to download files and other malware.

This threat can be downloaded onto your PC by other malware, or it might have been bundled together with other software. Other variants of Win32/Sefnit are also downloaded through peer-to-peer sharing networks.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


Variants of this family can be installed by other malware or unwanted software.

We have seen it included in software bundlers that install clean applications. The following is an example of a software bundler that silently installs Sefnit:

This variant copies itself to the following location:

Note: In some cases this file path may correspond to a legitimate clean file as well.

The trojan registers itself as a service in the registry. We have seen it use these names:

  • Windows Internet Name Service
  • Bluetooth LE Services Control Protocol
  • Network connection monitor
  • Windows Network Connection Service

Note: In some cases these names may correspond to legitimate clean services as well.

It may add two scheduled jobs so it runs on a regular basis:

Where <job name> changes depending on the variant, for example TrustedInstaller Update.job and TrustedInstaller Update 2.job.


Uses your PC for click fraud

This threat acts as a network proxy to do click fraud.

A hacker can use your PC to relay Internet traffic that simulates a user browsing the Internet and clicking on ads. We have seen this threat using the open-source 3proxy service to do this. It does this in the background, so you are unlikely to notice anything unusual.

For more information about how Sefnit dos click fraud, see our blog Mevade and Sefnit: Stealthy click fraud, and to read about what click fraud is and how malware can use your PC to do it, see Another way Microsoft is disrupting the malware ecosystem.

Downloads other malware

The trojan connects to remote servers, known as C&C servers. When connected, it tries to download data that tells it what files to download or actions to take.
Some of the C&C domains known to be used by this trojan include:


Additional information

This threats uses a C&C infrastructure that mixes HTTP and SSH. Standard HTPP is used to download and read an encrypted XML file that specifies download-and-run commands as well as the C&C server to be used for SSH. Clean library code from the PuTTY project is used to implement the SSH client.

This threat is only one component of Sefnit. Typically, up to three known components are installed around the same time on an infected PC. For details on these other components, please refer to the Win32/Sefnit family description.

You can also read more about the family in our blog Mevade and Sefnit: Stealthy click fraud.

Since August 2013, there has been a considerable increase in the Tor network's incoming connecting users - this is believed to be as result of the Sefnit family using Tor for its C&C communication. This is shown in the following graph from the Tor metrics portal:

Running files downloaded from peer-to-peer networks like eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.

Analysis by Geoff McDonald


The following could indicate that you have this threat on your PC:


Alert level: Severe
First detected by definition: 1.153.816.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jun 28, 2013
This entry was first published on: Sep 19, 2013
This entry was updated on: Oct 20, 2014

This threat is also detected as:
  • Win32/InstallBrain.AK (ESET)
  • Backdoor.Mevade (Symantec)
  • BKDR_MEVADE.A (Trend Micro)
  • TR/Mevade.A (Avira)
  • Trojan.Win32.Mevade (Ikarus)
  • Trojan/Win32.ADH (AhnLab)
  • Trojan-Downloader.Win32.AVDisguise.a (Kaspersky)
  • winpe/Mevade.A (Norman)