Win32/Sirefef [Threat Name] go to Threat

Win32/Sirefef.A [Threat Variant Name]

Available cleaner [Download Sirefef Cleaner ]

Category trojan
Size 80896 B
Detection created Nov 13, 2009
Signature database version 4604
Aliases Trojan-Dropper.Win32.PMax.a (Kaspersky)
  Trojan.Horse (Symantec)
  TrojanDropper:Win32/Sirefef.A (Microsoft)
Short description

Win32/Sirefef.A is a trojan that redirects results of online search engines to web sites that contain adware.

Installation

The trojan creates copies of the following files (source, destination):

  • c:\­windows\­system32\­eventlog.dll, c:\­windows\­system32\­logevent.dll
  • c:\­windows\­system32\­cngaudit.dll, c:\­windows\­system32\­logevent.dll

The trojan then deletes source files.


The trojan drops one of the following files in the c:\windows\system32\ folder:

  • eventlog.dll (61952 B)
  • cngaudit.dll (61952 B)

The following files are dropped into the %systemdrive%\windows\ folder:

  • win32k.sys:1 (12288 B)
  • win32k.sys:2 (61952 B)

The trojan may create and run a new thread with its own program code within any running process.

Other information

The trojan can redirect results of online search engines to web sites that contain adware.


The trojan launches the following processes:

  • %windir%\­PCHealth\­HelpCtr\­Binaries\­HelpSvc.exe

The trojan creates the following files:

  • %commondocuments%\­Thumbs.db

It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.