Follow:

 

Trojan:Win32/Sefnit.BW


Microsoft security software detects and removes this threat.

This threat is a part of the Win32/Sefnit family of trojans. It can give a malicious hacker access to your PC, download files, and use your PC and Internet connection for click fraud.

It can also use your PC to mine Litecoins.

This type of threat can be downloaded by other malware, or bundled with other software and downloaded through peer-to-peer file sharing networks.

If you have this detected on your PC, then it's likely you're infected with other parts of the Win32/Sefnit family.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:Win32/Sefnit.BW installs itself into one of the following locations:

Variants of this family can be installed by exploits, other malware or unwanted software.

The trojan might register itself as a service with the name "Windows Themes" by modifying the registry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes\Enum
Sets value: "0"
With data: "Root\LEGACY_WINTHEMES\0000"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "ImagePath"
With data: "C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\winthemes_service.dll,init_service"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "DisplayName"
With data: "Windows Themes"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "ObjectName"
With data: "LocalSystem"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "Description"
With data: "Provides user experience theme management."

A C&C server may be communicated with to download and run additional files.

We have seen the threat try to communicate with the following servers:

  • gerrardinokelseysullivanudosk.<removed>.com/cpu_32.zip
  • katherinemilestribonchi.<removed>.com/cpu_32.zip
  • lambertfosterhumbertlombo.<removed>.com/cpu_32.zip
  • wimariahlynchebiaonto.<removed>.com/cpu_32.zip

We have also seen the threat try to communicate with the following servers using an outgoing SSH connection on port 443:

  • albfznc.su
  • dmzhor.com
  • gonjk.su
  • gxedw.net
  • metfsy.org
  • pubzat.com
  • ralwze.net
  • xapjy.org
Payload

Downloads other malware

The trojan connects to remote servers, known as command and control (C&C) servers. When connected, it tries to download data that tells it what files to download or actions to take.

Some of the C&C domains known to be used by this trojan include:

  • gerrardinokelseysullivanudosk.<removed>.com/cpu_32.zip
  • katherinemilestribonchi.<removed>.com/cpu_32.zip
  • lambertfosterhumbertlombo.<removed>.com/cpu_32.zip
  • wimariahlynchebiaonto.<removed>.com/cpu_32.zip

Uses your PC for click fraud

This variant uses your PC's internet connect to perform click fraud. The MMPC blog "Another way Microsoft is disrupting the malware ecosystem" explains what click fraud is and how malware can use your PC to do it.

We have seen Sefnit using the 3proxy service to proxy HTTP traffic to emulate a user browsing the Internet and clicking on advertisements.

Uses your PC for Litecoin mining

Some versions of this threat use your PC to mine Litecoins. Litecoin is a crypto currency similar to Bitcoins. Side effects may include slower computer performance, hardware degradation, and higher power consumption.

Additional information

This variant of Sefnit family is known to use SSH provided by PuTTY as its C&C communication channel. Outgoing SSH connections on port 443 to one of the following C&C servers is expected in some cases:

  • albfznc.su
  • dmzhor.com
  • gonjk.su
  • gxedw.net
  • metfsy.org
  • pubzat.com
  • ralwze.net
  • xapjy.org  

Analysis by Geoff McDonald


Symptoms

The following could indicate that you have this threat on your PC:

  • You have some of these files: 
  • You may see an outgoing SSH connection from the PC using port 443.
  • Your computer performance may be slow due to Litecoin mining.
  • You see the service "Windows Themes" running.
  • You see this entry or key in your registry:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
    Sets value: "ImagePath"
    With data: "C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\winthemes_service.dll,init_service"

Prevention


Alert level: Severe
First detected by definition: 1.169.1464.0
Latest detected by definition: 1.175.1571.0 and higher
First detected on: Apr 02, 2014
This entry was first published on: Apr 08, 2014
This entry was updated on: Jun 27, 2014

This threat is also detected as:
  • Trojan.Win32.Sefnit (Ikarus)