Follow:

You have been re-routed to the Trojan:Win32/Sirefef.P write up because Trojan%3aWin32%2fSirefef.P has been renamed to Trojan:Win32/Sirefef.P
 

Trojan:Win32/Sirefef.P


Microsoft security software detects and removes this threat.

This family of malware uses stealth to hide itself. Trojans in this family can do different things, including:

  • Downloading and running other files
  • Contacting remote hosts
  • Disabling security features

Members of the family can also change search results, which can generate money for the attackers who use Sirefef.

Variants of Win32/Sirefef may be installed by other malware, including variants of the Trojan:Win32/Necurs family.

See the Win32/Sirefef family description for more information.



What to do now

The following free Microsoft software detects and removes this threat:

Run the Microsoft Safety Scanner

If you're having trouble cleaning Win32/Sirefef, the Microsoft Safety Scanner may help you remove it:

After you've used the Microsoft Safety Scanner, you should make sure your security software is up to date and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Note that as part of the cleaning, our software might change some Windows services back to their default settings. If you had previously changed these settings, you might need to change them again.

The services that are reset include:

  • BFE – Base Filtering Engine
  • Iphlsvc – IP helper Service
  • MSMpSvc – Microsoft Antimalware service – MSE/FEP/SCEP
  • Sharedaccess – Internet Connection Sharing
  • WinDefend – Microsoft Antimalware service
  • Wscsvc - Windows Security Center

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Trojan:Win32/Sirefef.P is a trojan component of Win32/Sirefef - a multi-component family of malware that disturbs your Internet experience by changing search results, and generates pay-per-click advertising revenue for its controllers. The family consists of multiple parts that do different functions, like downloading updates and additional components, hiding existing components, or running payload routines.

Installation

Trojan:Win32/Sirefef.P is installed by other malware and may have the file name wpbt0.dll. The trojan component is responsible for downloading other malicious components.

In the wild, we have observed some variants of Trojan:Win32/Sirefef.P installed with other malware, including those detected as Win32/Vobfus and Win32/Cycbot.

Analysis by Jireh Sanico


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.115.1237.0
Latest detected by definition: 1.177.2267.0 and higher
First detected on: Nov 04, 2011
This entry was first published on: Nov 04, 2011
This entry was updated on: Dec 18, 2013

This threat is also detected as:
  • Win32/Sirefef.DK (ESET)
  • Trojan.Win32.Jorik.ZAccess.qe (Kaspersky)
  • FakeAlert-GA.gen.r (McAfee)
  • Trojan.Gen.2 (Symantec)
  • Cryp_FakeAV-56 (Trend Micro)