Installation
Trojan:Win32/Sefnit.BW installs itself into one of the following locations:
Variants of this family can be installed by exploits, other malware or unwanted software.
The trojan might register itself as a service with the name "Windows Themes" by modifying the registry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes\Enum
Sets value: "0"
With data: "Root\LEGACY_WINTHEMES\0000"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "ImagePath"
With data: "C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\winthemes_service.dll,init_service"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "DisplayName"
With data: "Windows Themes"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "ObjectName"
With data: "LocalSystem"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\winthemes
Sets value: "Description"
With data: "Provides user experience theme management."
A C&C server may be communicated with to download and run additional files.
We have seen the threat try to communicate with the following servers:
- gerrardinokelseysullivanudosk.<removed>.com/cpu_32.zip
- katherinemilestribonchi.<removed>.com/cpu_32.zip
- lambertfosterhumbertlombo.<removed>.com/cpu_32.zip
- wimariahlynchebiaonto.<removed>.com/cpu_32.zip
We have also seen the threat try to communicate with the following servers using an outgoing SSH connection on port 443:
- albfznc.su
- dmzhor.com
- gonjk.su
- gxedw.net
- metfsy.org
- pubzat.com
- ralwze.net
- xapjy.org
Payload
Downloads other malware
The trojan connects to remote servers, known as command and control (C&C) servers. When connected, it tries to download data that tells it what files to download or actions to take.
Some of the C&C domains known to be used by this trojan include:
- gerrardinokelseysullivanudosk.<removed>.com/cpu_32.zip
- katherinemilestribonchi.<removed>.com/cpu_32.zip
- lambertfosterhumbertlombo.<removed>.com/cpu_32.zip
- wimariahlynchebiaonto.<removed>.com/cpu_32.zip
Uses your PC for click fraud
This variant uses your PC's internet connect to perform click fraud. The MMPC blog "Another way Microsoft is disrupting the malware ecosystem" explains what click fraud is and how malware can use your PC to do it.
We have seen Sefnit using the 3proxy service to proxy HTTP traffic to emulate a user browsing the Internet and clicking on advertisements.
Uses your PC for Litecoin mining
Some versions of this threat use your PC to mine Litecoins. Litecoin is a crypto currency similar to Bitcoins. Side effects may include slower computer performance, hardware degradation, and higher power consumption.
Additional information
This variant of Sefnit family is known to use SSH provided by PuTTY as its C&C communication channel. Outgoing SSH connections on port 443 to one of the following C&C servers is expected in some cases:
- albfznc.su
- dmzhor.com
- gonjk.su
- gxedw.net
- metfsy.org
- pubzat.com
- ralwze.net
- xapjy.org
Analysis by Geoff McDonald