Trojan:Win64/Sirefef.B

(?)

Encyclopedia entry
Updated: Oct 30, 2012 | Published: Jun 21, 2011

Aliases

BackDoor.Maxplus.23

Dr.Web

ZeroAccess.b (McAfee)
Zero Access rootkit (other)
Max++ (other)
ZAccess (other)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.147.1763.0
Released: Apr 13, 2013

Detection initially created:
Definition: 1.107.77.0
Released: Jun 21, 2011

Summary

Trojan:Win64/Sirefef.B is a trojan that connects to a remote server to download arbitrary files which can include malware, such as other components of Sirefef, and may be present on an affected computer as a file named "consrv.dll".

Caution: Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. As a consequence of being infected with this threat, you may need to repair and reconfigure some Windows security features. Please see Additional remediation steps in this entry for more information.

Top

Symptoms

System changes

The following system changes may indicate the presence of this malware:

The presence of the following files:
%windir%\System32\confsrv.dll
Alert notifications from installed antivirus software may be the only symptoms.

Top

Technical Information (Analysis)

Trojan:Win64/Sirefef.B is a trojan that connects to a remote server to download arbitrary files which can include malware, such as other components of Sirefef.

Installation

This trojan is installed by other malware, such as Trojan:Win64/Sirefef.A, and may be present on an affected computer as the following file:

%windir%\System32\consrv.dll

The trojan is injected into the process "svchost.exe" and its payload is executed.

Payload

Downloads arbitrary files
Trojan:Win64/Sirefef.B connects to a remote server to retrieve commands that could include the following actions:

download arbitrary files or updated Sirefef components
execute retrieved files
inject retrieved files into other processes

Analysis by Shawn Wang

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an up-to-date, Microsoft security solution.

Some Sirefef infections may prevent you from running your Microsoft security solution. If this happens, you should uninstall your antivirus, reinstall it, then run a full-system scan. You can read about how to uninstall a program here.

The following Microsoft products detect and remove this threat:

Microsoft Security Essentials or, for Windows 8, Windows Defender
Microsoft Safety Scanner

Additional remediation steps

Sirefef makes lasting changes to your computer’s security settings that may need to be repaired. Sirefef stops and deletes a number of different security-related services on your computer. When using Microsoft security solutions to clean a Sirefef infection, these services will be restored to the Windows default installation settings.

The following Microsoft Fixits can be used for additional repair and configuration:

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.