Follow:

 

Trojan:WinNT/Sirefef.H


Trojan:WinNT/Sirefef.H is a trojan that could intercept network traffic or inject code into other processes. It is installed by other malware such as TrojanDropper:Win32/Sirefef.B.



What to do now

Win32/Sirefef is a dangerous threat that uses advanced stealth techniques to hinder its detection and removal. If you are infected with Sirefef, we recommend you take the following steps to remove it.

Download and run the Microsoft Safety Scanner

Before you begin you will need:

  • A PC that is not infected and is connected to the Internet. You will use this PC to download a copy of the Microsoft Safety Scanner
  • A blank CD, DVD or USB drive. You will use this CD, DVD or USB drive to run the Scanner on your infected PC
  1. Download a copy of the Microsoft Safety Scanner from a clean, uninfected PC
  2. Save a copy of the Scanner on a blank CD, DVD, or USB drive
  3. Restart the infected PC
  4. Insert the CD, DVD, or USB drive into your infected PC and run the Scanner
  5. Let the Scanner clean your PC and remove any infections it finds

After running the scanner, make sure your antivirus software is up-to-date. You can update Microsoft security software by downloading the latest definitions.

The following Microsoft products detect and remove this threat:

Note that as part of the cleaning, our software might change some Windows services back to their default settings. If you had previously changed these settings, you might need to change them again.

The services that are reset include:

  • BFE – Base Filtering Engine
  • Iphlsvc – IP helper Service
  • MSMpSvc – Microsoft Antimalware service – MSE/FEP/SCEP
  • Sharedaccess – Internet Connection Sharing
  • WinDefend – Microsoft Antimalware service
  • Wscsvc - Windows Security Center

Threat behavior

Trojan:WinNT/Sirefef.H is a trojan that could intercept network traffic or inject code into other processes.

Installation

This trojan is installed by other malware such as TrojanDropper:Win32/Sirefef.B, a trojan dropper. In the wild, the trojan dropper may be distributed as executable files with enticing names, as in the following examples:

  • xxx-HD-movie.avi.exe
  • Serial-Hardware_Helper_1_0.45303.exe
  • Crack.Dream.Audio.Converter.Ul.exe
  • Keygen.All.My.Books.2.2.Build.1126.exe
  • Keygen.Speed.Connect.Internet.Accelerator.8.0.Portable.exe

When Trojan:WinNT/Sirefef.H executes, it creates a device as "\\??\\ACPI#PNP0303#2&da1a3ff&0\\U\\$<random 8 digits>" and injects trojan DLL code into the process ‘services.exe’. The injected DLL code installs another trojan component into an Alternate Data Stream as the following:

%SystemRoot%\%u:%u , where "%u" is a value computed from hard disk drive information (volume creation time)

Both the DLL and EXE file may be detected as Trojan:Win32/Sirefef.H.

WinNT/Sirefef.H communicates with the following time servers:

  • ntp2.usno.navy.mil
  • ntp.adc.am
  • tock.usask.ca
  • ntp.crifo.org
  • ntp1.arnes.si
  • ntp.ucsd.edu
  • ntp.duckcorp.org
  • wwv.nist.gov
  • clock.isc.org
  • time.windows.com
  • time2.one4vision.de
  • time.cerias.purdue.edu
  • clock.fihn.net
Payload

Intercepts network traffic
This trojan has functionality to perform the following actions:

  • intercept network packets
  • provide network functionality and communicate over TCP and UDP
  • write memory of any process etc.

Analysis by Shawn Wang

 


Symptoms

There are no common symptoms associated with this threat - links are activated within IFrames while viewing web content on maliciously modified pages. Alert notifications from installed antivirus software may be the only symptoms. 

Prevention


Alert level: Severe
First detected by definition: 1.111.1739.0
Latest detected by definition: 1.111.1739.0 and higher
First detected on: Sep 08, 2011
This entry was first published on: Sep 08, 2011
This entry was updated on: Sep 02, 2013

This threat is also detected as:
  • Backdoor/Win32.ZAccess (AhnLab)
  • Rootkit.Win32.ZAccess.e (Kaspersky)
  • Mal/TDSSPack-A (Sophos)