is the 64-bit user-mode component of Win32/Sirefef - a multi-component family of malware that moderates an affected user's Internet experience by modifying search results, and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing a payload.
is installed and executed by TrojanDropper:Win32/Sirefef.B.
Downloads and executes arbitrary files
The trojan may connect to a remote FTP server, generated in this format via HTTP POST, to retrieve and execute commands that could include the following actions:
- Download arbitrary files or updated malware components
- Execute retrieved files
- Inject retrieved files into other processes
Generates fake traffic for certain websites
Some variants of Trojan:Win64/Sirefef.M generate fake traffic to the site visitor-counting service using the referrer "aelit<removed>sixfour.com".
It queries the server "counter.yadro.ru" with the following GET request every 900 seconds:
GET /hit?t52.6;rhttp://0;s320*200*32;u/0;0.<value based on current time> HTTP/1.1
Referer: <website being promoted>0
User-Agent: Opera/6 (Windows NT 5.00; U)
where &;lt;website being promoted> is the website that it generates fake traffic for.
Analysis by Marianne Mallen
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.