is the 64-bit user-mode component of the Win32/Sirefer rootkit. It is the component responsible for generating fake traffic to the site visitor-counting service provided by "liveinternet.ru". Win32/Sirefef is a multi-component malware that moderates an affected user's Internet experience by modifying search results.
may be created by Win32/Sirefef rootkit installers, such as Trojan:Win32/Sirefef.J and Backdoor:Win32/Smadow.
The following folders, marked as "hidden", may also be created by the rootkit installer along with Trojan:Win64/Sirefef.D:
may be present as the file "counter.dll" in the first folder created above. However, if a user attempts to access these folders, the rootkit may terminate the accessing process.
The rootkit installers may also change the registry value "Type" to "1" for the following Windows service subkey when Trojan:Win64/Sirefef.D is installed:
Generates fake traffic for certain websites
generates fake traffic to the site visitor-counting service provided by "liveinternet.ru" - a public webpage rating service. It queries the server "counter.yadro.ru" with the following GET request every 900 seconds:
GET /hit?t52.6;rhttp://0;s320*200*32;u/0;0.<value based on current time> HTTP/1.1
Referer: <website being promoted>0
User-Agent: Opera/6 (Windows NT 5.00; U)
where <website being promoted> is the website that it generates fake traffic for.
Analysis by Sergey Chernyshev
The following system changes may indicate the presence of this malware:
- The following registry change:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\mrxsmb
Modified value: "Type"