TrojanDropper:Win32/Sirefef.B

(?)

Encyclopedia entry
Updated: Oct 30, 2012 | Published: Dec 09, 2010

Aliases

Dropper/Smiscer.79360.B

AhnLab

W32/Dropper.AYXZ (Command)
W32/Obfuscated.T (Norman)
Trojan.DR.Smiscer!DcK/dp3l7Dg (VirusBuster)
Trojan horse Crypt.NSQ (AVG)
TR/Drop.Smiscer.HF.1 (Avira)
Trojan.Generic.IS.439387 (BitDefender)
Win32/Sirefef.Z (CA)
BackDoor.Maxplus.6 (Dr.Web)
Win32/Sirefef.P (ESET)
Trojan-Dropper.Win32.Smiscer (Ikarus)
Trojan-Dropper.Win32.Smiscer.hf (Kaspersky)
Trj/Dropper.WF (Panda)
Trojan.Win32.Generic.51F92A9D (Rising AV)
Mal/EncPk-NL (Sophos)
Trojan-Dropper.Win32.Smiscer.hl (Sunbelt Software)
TROJ_Gen.CX34I8 (Trend Micro)
ZeroAccess rootkit (other)
ZeroAccess (other)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.151.88.0
Released: May 15, 2013

Detection initially created:
Definition: 1.65.563.0
Released: Sep 09, 2009

Summary

TrojanDropper:Win32/Sirefef.B is a trojan that drops Win32/Sirefef, a multi-component family.

Caution: Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. As a consequence of being infected with this threat, you may need to repair and reconfigure some Windows security features. Please see Additional remediation steps in this entry for more information.

Top

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Top

Technical Information (Analysis)

TrojanDropper:Win32/Sirefef.B is a trojan that drops Win32/Sirefef, a multi-component family.

When executed, TrojanDropper:Win32/Sirefef.B attempts to replace a randomly selected system driver. It may however avoid the following drivers:

win32k.sys
ndis.sys

The replaced driver may be detected as Virus:Win32/Sirefef.I, and will be loaded by TrojanDropper:Win32/Sirefef.B.

It also drops two other Win32/Sirefef components, which may be detected as Trojan:Win32/Sirefef.C and Trojan:WinNT/Sirefef.C. These dropped components may not present in the affected system as plain files, instead, they reside in a volume created by TrojanDropper:Win32/Sirefef.B.

TrojanDropper:Win32/Sirefef.B may also contact server 85.17.239.212 for the purpose of reporting infection statistics.

Analysis by Chun Feng

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an up-to-date, Microsoft security solution.

Some Sirefef infections may prevent you from running your Microsoft security solution. If this happens, you should uninstall your antivirus, reinstall it, then run a full-system scan. You can read about how to uninstall a program here.

The following Microsoft products detect and remove this threat:

Microsoft Security Essentials or, for Windows 8, Windows Defender
Microsoft Safety Scanner

Additional remediation steps

Sirefef makes lasting changes to your computer’s security settings that may need to be repaired. Sirefef stops and deletes a number of different security-related services on your computer. When using Microsoft security solutions to clean a Sirefef infection, these services will be restored to the Windows default installation settings.

The following Microsoft Fixits can be used for additional repair and configuration:

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.