Follow:

 

Win32/Sirefef


Microsoft security software detects and removes this threat.

This family of malware uses stealth to hide its presence on your PC. Trojans in this family can do different things, including:

  • Downloading and running other files
  • Contacting remote hosts
  • Disabling security features

Members of the family can also change search results, which can generate money for the hackers who use Sirefef.

Variants of Win32/Sirefef might be installed by other malware, including variants of the Trojan:Win32/Necurs family.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Note that as part of the cleaning, our software might change some Windows services back to their default settings. If you had previously changed these settings, you might need to change them again.

The services that are reset include:

  • BFE – Base Filtering Engine
  • Iphlsvc – IP helper Service
  • MSMpSvc – Microsoft Antimalware service – MSE/FEP/SCEP
  • Sharedaccess – Internet Connection Sharing
  • WinDefend – Microsoft Antimalware service
  • Wscsvc - Windows Security Center
Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

We have seen the dropper component of Win32/Sirefef distributed by exploits and programs that promote software-piracy, like "keygens" and "cracks" (programs designed to bypass software licensing).

Variants of Win32/Sirefef might also be dropped or installed by other malware, including variants of the Trojan:Win32/Necurs family.

In the wild, we have seen newer Sirefef variants copying themselves as GoogleUpdate.exe, and dropping that file into the following folders along with a file with the name @:

  • %ProgramFiles% \Google\Desktop\Install\<GUID>\<non-printable bytes>\<non-printable bytes>\<non-printable bytes>\<GUID>\
  • %LOCALAPPDATA% \Google\Desktop\Install\<GUID>\<non-printable bytes>\<non-printable bytes>\<non-printable bytes>\<GUID>\

where <GUID> is a series of characters unique to your PC.

This might look like %ProgramFiles%\Google\Desktop\Install\{17727cf2-f323-850a-10b1-029cdc14179d}\ \ \<\x2E\x20\xF9\xFB\x5B\x0E>\{17727cf2-f323-850a-10b1-029cdc14179d}\GoogleUpdate.exe.

The @ file contains information that Sirefef can use to find other infected PCs

They make those files run every time you start your PC by adding a system service with the name L"<right-left unicode character>etadpug" (which will appear as gupdate) and changing the registry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: "<location and name of the GoogleUpdate.exe file>"

Other variants have been seen dropping the @ file and a file called nto a chosen directory, for example, C:\recycler\s<removed>\<removed>.

The n file contains malicious code used for peer-to-peer (P2P) communication.

They make the following changes to the registry so Sirefef runs each time you start your PC:

In subkey: HKLM\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
Changes value: "(Default)"
From data: "<system folder>\wbem\wbemess.dll"
With data: "<path to n>" (for example, "c:\recycler\s<removed>\<removed>\n")

Older variants of Sirefef try to replace a randomly-selected system driver with its own malicious copy. The replaced driver could be any of the following:

  • afd.sys
  • i8042prt.sys
  • ipsec.sys
  • mrxsmb.sys
  • netbt.sys
  • raspppoe.sys
  • serial.sys

This list is not comprehensive.

The replaced driver will load each time you start your PC. The replaced driver might be detected as a variant of Virus:Win32/Sirefef or as TrojanDropper:Win32/Sirefef.B.

Payload

Downloads and runs other files

Sirefef uses a peer-to-peer (P2P) protocol to download or update additional malware components from other PCs. The downloaded components are saved to the U\ directory in a hidden folder that it creates for this purpose. The downloaded components might:

  • Change search results
  • Generate pay-per-click advertising revenue for its controllers
  • Run Bitcoin (digital currency) mining on the affected PC

Stops and deletes security-related services

Sirefef tries to stop and delete the following security-related services:

  • Base Filtering Engine Service (bfe)
  • IP Helper Service (iphlpsvc)
  • Windows Defender Service (windefend)
  • Windows Firewall Service (mpssvc)
  • Windows Security Center Service (wscsvc)
  • Windows Firewall
  • Windows Update
  • Multiple other services, including PolicyAgent, Program Compatibility Assistant Service (pcasvc), and RemoteAccess

Contacts remote hosts

Sirefef contacts a remote host to send information about your PC. This information can then be used to create a network of infected PCs that the malicious hacker can use for any purpose.

Turns off Windows Firewall

Sirefef tries to turn off Windows Firewall to make sure its own traffic won’t be blocked.

Additional information

Sirefef implements a disk-level hook to hide its presence on your PC. If an try is made to read the replaced driver, Sirefef returns the original, clean driver. Any changes that are made to this driver will have no impact on the PC, as the replacement, malicious driver will always run instead.

Sirefef includes a self-defense mechanism to protect against security related software; the malware tries to stop and delete any process that tries to access it.

Infects files/Uses stealth

Some Sirefef variants have been observed infecting services.exe with shellcode to load malicious data from Extended Attributes (EA). It uses Extended Attributes to store additional components which it later loads, as part of its effort to use stealth to hide itself on your PC.

Intercepts and hijacks network traffic

Some variants of Sirefef might drop a Windows Socket Service Provider file which it uses to intercept and/or hijack network activity, so it can redirect your browser.

In the wild, we have observed this file being dropped as:

Creates a folder in which to store other malware

Sirefef creates a special folder configured as a reparse point (a collection of user-defined data) in which to store additional malware components, as well as the original clean copy of the replaced driver.

The created folder uses the following format:

%SystemRoot% \$NtUninstallKB<number>

<number> is a randomly generated number.

The files stored under this folder are encrypted, and are not generally accessible.

Further reading

Analysis by Chun Feng and Shawn Wang


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
This entry was first published on: Apr 13, 2012
This entry was updated on: Aug 22, 2014

This threat is also detected as:
  • ZeroAccess (other)
  • Zero Access (other)