TROJ_SIREFEF.AFQ

 Analysis by: Michael Cabel

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Dropped by other malware, Downloaded from the Internet


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It hides files, processes, and/or registry entries.

It connects to certain websites to send and receive information. However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size:

180,736 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

16 Nov 2012

Payload:

Connects to URLs/IPs, Terminates processes

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

  • %System Root%\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee\@
  • %System Root%\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee\n
  • %System Root%\RECYCLER\S-1-5-21-1454471165-515967899-839522115-1003\$6576a1a85f9fdb0e20568660563a58ee\@
  • %System Root%\RECYCLER\S-1-5-21-1454471165-515967899-839522115-1003\$6576a1a85f9fdb0e20568660563a58ee\n

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee
  • %System Root%\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee\L
  • %System Root%\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee\U
  • %System Root%\RECYCLER\S-1-5-21-1454471165-515967899-839522115-1003\$6576a1a85f9fdb0e20568660563a58ee\L
  • %System Root%\RECYCLER\S-1-5-21-1454471165-515967899-839522115-1003\$6576a1a85f9fdb0e20568660563a58ee\U

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It injects codes into the following process(es):

  • svchost.exe
  • cmd.exe
  • explorer.exe

Other System Modifications

This Trojan deletes the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Setup

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\windefend

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\iphlpsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\mpssvc

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Defender =

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MsMpSvc

Rootkit Capabilities

This Trojan hides files, processes, and/or registry entries.

Process Termination

This Trojan terminates the following services if found on the affected system:

  • MsMpSvc
  • windefend
  • SharedAccess
  • iphlpsvc
  • wscsvc
  • mpssvc

Other Details

This Trojan connects to the following URL(s) to get the affected system's IP address:

  • http://j.maxmind.com/app/geoip.js

It connects to the following website to send and receive information:

  • http://{BLOCKED}counters.com/5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme={Random}&digits=10&siteId={Random}

However, as of this writing, the said sites are inaccessible.

NOTES:

This Trojan overwrites 512 bytes of code to services.exe. The infected services.exe is detected as MAL_SIREF32.

  SOLUTION

Minimum Scan Engine:

9.300

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by TROJ_SIREFEF.AFQ

    MAL_SIREF32

Step 3

Identify and delete files detected as TROJ_SIREFEF.AFQ using the Recovery Console

[ Learn More ]

Step 4

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %System Root%\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee
  • %System Root%\RECYCLER\S-1-5-21-1454471165-515967899-839522115-1003\$6576a1a85f9fdb0e20568660563a58ee

Step 5

Scan your computer with your Trend Micro product to delete files detected as TROJ_SIREFEF.AFQ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 6

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Setup
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windefend
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • Windows Defender =


Did this description help? Tell us how we did.