Win64/Sirefef [Threat Name] go to Threat

Win64/Sirefef.AP [Threat Variant Name]

Category	trojan
Size	169472 B
Aliases	Trojan:Win32/Sirefef.P (Microsoft)
	BDS/ZAccess.yug (Avira)
	ZeroAccess.hn.trojan (McAfee)

The trojan serves as a backdoor. It can be controlled remotely.

When executed, the trojan creates the following files:

The trojan creates the following folders:

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the trojan sets the following Registry entries:

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32]
- "ThreadingModel" = "Both"
- "(Default)" = "%recyclebin%\%userSID%\%variable%\n."
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32]
- "(Default)" = "%recyclebin%\S-1-5-18\%variable%\n."
- "ThreadingModel" = "Free"

The following Registry entries are removed:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Windows Defender"

The trojan loads and injects the "n" library into the following processes:

After the installation is complete, the trojan deletes the original executable file.

The trojan serves as a backdoor. It can be controlled remotely.

The trojan opens 16465 port and connects to own peer-to-peer network.

The trojan contains a list of (256) IP addresses.

It can execute the following operations:

The following programs are terminated:

The following services are disabled: