Follow:

 

Trojan:Win64/Sirefef.D


Trojan:Win64/Sirefef.D is the 64-bit user-mode component of Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by changing search results and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing a payload.



What to do now

Win32/Sirefef is a dangerous threat that uses advanced stealth techniques to hinder its detection and removal. If you are infected with Sirefef, we recommend you take the following steps to remove it.

Download and run the Microsoft Safety Scanner

Before you begin you will need:

  • A PC that is not infected and is connected to the Internet. You will use this PC to download a copy of the Microsoft Safety Scanner
  • A blank CD, DVD or USB drive. You will use this CD, DVD or USB drive to run the Scanner on your infected PC
  1. Download a copy of the Microsoft Safety Scanner from a clean, uninfected PC
  2. Save a copy of the Scanner on a blank CD, DVD, or USB drive
  3. Restart the infected PC
  4. Insert the CD, DVD, or USB drive into your infected PC and run the Scanner
  5. Let the Scanner clean your PC and remove any infections it finds

After running the scanner, make sure your antivirus software is up-to-date. You can update Microsoft security software by downloading the latest definitions.

The following Microsoft products detect and remove this threat:

Note that as part of the cleaning, our software might change some Windows services back to their default settings. If you had previously changed these settings, you might need to change them again.

The services that are reset include:

  • BFE – Base Filtering Engine
  • Iphlsvc – IP helper Service
  • MSMpSvc – Microsoft Antimalware service – MSE/FEP/SCEP
  • Sharedaccess – Internet Connection Sharing
  • WinDefend – Microsoft Antimalware service
  • Wscsvc - Windows Security Center

Threat behavior

Trojan:Win64/Sirefef.D is the 64-bit user-mode component of the Win32/Sirefer rootkit. It is the component responsible for generating fake traffic to the site visitor-counting service provided by "liveinternet.ru". Win32/Sirefef is a multi-component malware that moderates an affected user's Internet experience by modifying search results.

Installation

Trojan:Win64/Sirefef.D may be created by Win32/Sirefef rootkit installers, such as Trojan:Win32/Sirefef.J and Backdoor:Win32/Smadow.

The following folders, marked as "hidden", may also be created by the rootkit installer along with Trojan:Win64/Sirefef.D:

  • %windir%\$NtUninstallKB<decimal number>
  • %APPDATA%\<hexadecimal string>

Trojan:Win64/Sirefef.D may be present as the file "counter.dll" in the first folder created above. However, if a user attempts to access these folders, the rootkit may terminate the accessing process.

The rootkit installers may also change the registry value "Type" to "1" for the following Windows service subkey when Trojan:Win64/Sirefef.D is installed:

HKLM\SYSTEM\CurrentControlSet\services\mrxsmb  

Payload

Generates fake traffic for certain websites

Trojan:Win64/Sirefef.D generates fake traffic to the site visitor-counting service provided by "liveinternet.ru" - a public webpage rating service. It queries the server "counter.yadro.ru" with the following GET request every 900 seconds:

GET /hit?t52.6;rhttp://0;s320*200*32;u/0;0.<value based on current time> HTTP/1.1
Referer: <website being promoted>0
User-Agent: Opera/6 (Windows NT 5.00; U)

where <website being promoted> is the website that it generates fake traffic for.

Analysis by Sergey Chernyshev


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The following registry change:

    In subkey: HKLM\SYSTEM\CurrentControlSet\services\mrxsmb
    Modified value: "Type"
    Data: "1"

Prevention


Alert level: Severe
First detected by definition: 1.115.1100.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Nov 02, 2011
This entry was first published on: Nov 02, 2011
This entry was updated on: Sep 02, 2013

This threat is also detected as:
  • Trojan.Sirefef.K (BitDefender)
  • ZeroAccess.b (McAfee)