Win32/Sefnit [Threat Name] go to Threat

Win32/Sefnit.DA [Threat Variant Name]

Category trojan
Size 451364 B
Detection created Jun 05, 2014
Detection database version 9899
Aliases Backdoor.Win32.Mevade.a (Kaspersky)
  Trojan:Win32/Sefnit.CD (Microsoft)
  Trojan.Sefnit (Symantec)
  TR/Sefnit.CC.6 (Avira)
Short description

The trojan serves as a proxy server. The file is run-time compressed using NSIS .


When executed, the trojan creates the following files:

  • %system%\­themes.dll (129536 B, Win32/Sefnit.DA)
  • %appdata%\­Microsoft\­ApplicationManager\­startup_module.dll (59392 B, Win32/Sefnit.DA)
  • %appdata%\­Microsoft\­ApplicationManager\­rundll32.dll (65536 B, Win32/Sefnit.DA)
  • %appdata%\­Microsoft\­ApplicationManager\­channel.dll (403456 B, Win32/Sefnit.DA)

The trojan creates the following file:

  • %system%\­winthemes_service.dll (62464 B, Win32/Sefnit.DA)

The trojan registers file as a system service.

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Startup Manager" = "%systemx86%\­rundll32.exe "%appdata%\­Microsoft\­ApplicationManager\­startup_module.dll,start_watcher""

The trojan launches the following processes:

  • %systemx86%\­rundll32.exe "%appdata%\­Microsoft\­ApplicationManager\­startup_module.dll,start_watcher"
  • %systemx86%\­rundll32.exe "%currentfolder%\­themes.dll , _entry"
  • %systemx86%\­rundll32.exe "%currentgfolder%\­rundll32.dll, start_runner"
Other information

The trojan opens a random TCP port. The trojan opens TCP port 10038 . A proxy is listening there.

The trojan connects to the following addresses:


The UDP, TCP, SSH protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.