Follow:

 

Trojan:Win32/Sefnit.AU


Microsoft security software detects and removes this threat.

This trojan is part of the Win32/Sefnit family. These trojans can allow a hacker to access your PC, download files, spread through the eMule peer-to-peer file sharing network, and use your PC and Internet connection to do clickfraud.

This particular variant is used by the family to install and update itself on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Installation

Variants of this family can be installed by other malware or potentially unwanted software.

We have seen this variant call itself "Adobe Flash Player Update Service" by "Adobe Systems Incorporated", and use the file name FlashPlayerUpdateService.exe.

It copies itself to the following locations:

Additionally, on a 64-bit Windows operating system it will also create copies of itself in:

It creates the following jobs so it is run on a scheduled basis:

  • %windir% \Tasks\AdobeFlashPlayerUpdate 2.job
  • %windir% \Tasks\AdobeFlashPlayerUpdate.job

It adds itself as a service under the display name "Adobe Flash Player Update Service" by making the following registry changes:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "0"
With data: "Root\LEGACY_ADOBEFLASHPLAYERUPDATESVC\0000"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "Count"
With data: "0x00000001"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "NextInstance"
With data: "0x00000001"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Security
Sets value: "Security"
With data: "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "Type"
With data: "0x00000020"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc\Enum
Sets value: "Count"
With data: "0x00000001"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "ErrorControl"
With data: "0x00000001"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "ImagePath"
With data: "<system folder>\Macromed\Flash\FlashPlayerUpdateService.exe"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "DisplayName"
With data: "Adobe Flash Player Update Service"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "ObjectName"
With data: "LocalSystem"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "FailureActions"
With data: "FF FF FF FF 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 30 75 00 00"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc
Sets value: "Description"
With data: "This service keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes."


Payload

Downloads malware

The trojan connects to remote servers, known as command and control (C&C) servers. When connected, it tries to download data that it decrypts into an XML file, which specifies what further files to download or actions to take.

Some of the C&C domains known to be used by this trojan include:

  • srvupd.com
  • srvupd.net
  • svcupd.net
  • updsrv.net
  • updsvc.com
  • updsvc.net

These C&C servers will be contacted periodically via a standard HTTP GET command, for example HTTP GET http://updsvc.net/<removed>/3f76764a34f81e63df90b61f65b31d75/2.

We have seen the trojan download and run the following files, among others:

  • http://jameslipon.no-ip.biz/<removed>/tc.c1
  • http://kimberlybroher.no-ip.biz/<removed>/tc.c1
  • http://olivasonny.no-ip.biz/<removed>/tc.c1
  • http://patricevaillancourt.sytes.net/<removed>/tc.c1
  • http://timothymahoney.ddns.me.uk/<removed>/tc.c1

These downloaded files are detected as other variants of the Win32/Sefnit family.

Additional information

The Win32/Sefnit family is known to use Tor or Secure Shell (SSH) provided by PuTTY as its C&C communication channels.

Running files downloaded from peer-to-peer networks like eMule, µTorrent, and Shareaza puts you at a high risk of being infected by trojans and other malware.

Analysis by Geoff McDonald


Symptoms

You may notice sluggish computer performance, large bandwidth usage, and slow Internet performance.


Prevention


Alert level: Severe
First detected by definition: 1.157.833.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Aug 31, 2013
This entry was first published on: Aug 31, 2013
This entry was updated on: Nov 15, 2013

This threat is also detected as:
No known aliases