TROJ_SIREF64.SM

This is the Trend Micro detection for a 64-bit component of SIREFEF/ZEROACCESS family.

This Trojan may arrive bundled with malware packages as a malware component. It may arrive as a file that exports functions used by other malware. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates folders where it drops its files.

It requires its main component to successfully perform its intended routine.

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It may arrive as a file that exports functions used by other malware.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates the following folders:

• %User Profile%\Local Settings\Application Data\{CLSID}
• %User Profile%\Local Settings\Application Data\{CLSID}\U - where the executable component is drop by the main component.
• %User Profile%\Local Settings\Application Data\{CLSID}\@ - where the configuration component is drop by the main component.

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Backdoor Routine

This Trojan opens the following ports:

• TCP 16465
• UDP 1288

Other Details

This Trojan requires its main component to successfully perform its intended routine.