Analysis by: Joie Salvio
 Modified by: Mark Joseph Manahan

ALIASES:

TrojanDropper:Win32/Sirefef.BB (Microsoft), Win32/Sirefef.FY trojan (ESET)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size: 148,480 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 06 Aug 2013
Payload: Terminates processes

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It drops the following component file(s):

  • %Windows%\assembly\GAC\Desktop.ini - detected as TROJ_SIREFEF.BZO
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\@ - config file
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\@ - config file

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

  • %AppDataLocal%\Google\Desktop\Install\{GUID}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\U
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\L
  • %Program Files%\Google\Desktop\Install\{GUID}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\U
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\L

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Google Update = ""%AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe" >"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO character}etadpug
Parameters = "136"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO character}etadpug
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO character}etadpug
Type = "16"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO character}etadpug
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO character}etadpug
ImagePath = "%Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\{RLO character}etadpug

Other System Modifications

This Trojan deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_BITS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_SHAREDACCESS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_WSCSVC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_WUAUSERV

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BITS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv

Other Details

This Trojan deletes itself after execution.

NOTES:

For this Trojan to have a successful installation, it first attempts to elevate its privilege level by calling certain APIs. If the attempt fails, it drops the following files:

  • %User Temp%\InstallFlashPlayer.exe - normal application
  • %User Temp%\msimg32.dll - .DLL copy of the malware also detected as TROJ_SIREFEF.AZO

This Trojan disguises itself as msimg32.dll, since this is loaded by the legitimate InstallFlashPlayer.exe. It executes the legitimate Adobe Application %User Temp%\InstallFlashPlayer.exe to load the malicious file %User Temp%\msimg32.dll. This routine is intended to trigger the UAC prompt and trick the user in granting privilege to the Flash Player setup and consequently to load malicious file msimg32.dll.

This Trojan inserts the RLO Unicode character together with unprintable unicode characters on file names of the following folders to prevent user access in some operating systems:

  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}

Accessing the folders in Windows Vista results to the following error message:

This RLO character trick is also used in the following added registry entry to disguise itself as a legitimate service entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{RLO character}etadpug
ImagePath = "%Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe"

Below is a comparison of the registry of two machines - one with RLO Unicode support, and the other without RLO Unicode support:

Same trick is used on the following added autorun entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Google Update = "%AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters}\{GUID}\GoogleUpdate.exe"

When a user tries to access this entry, this error message will be displayed:

Furthermore, this Trojan also modifies the permissions (ACL) of the following created folders to prevent user access in some operating systems:

  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}
  • %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}

Accessing the folder in Windows XP may result to the following error message:

To further lessen the infected host's security, this Trojan also terminates the following Microsoft security-related processes:

  • wscntfy.exe
  • MSASCui.exe
  • MpCmdRun.exe
  • MsMpEng.exe
  • NisSrv.exe
  • msseces.exe

It uses a configuration file @. The said file contains a list of 256 IP addresses in hex and the time since 1980. It uses this list of IP addresses to communicate with other infected hosts in a peer-to-peer (P2P) network. Information shared in the network includes updated list of files and infected hosts. It connects to the following URL to obtain information about the origin of the infected machine:

  • http://j.maxmind.com/app/geoip.js

Sample reply from the mentioned site:

  SOLUTION

Minimum Scan Engine: 9.300
FIRST VSAPI PATTERN FILE: 10.272.04
FIRST VSAPI PATTERN DATE: 05 Sep 2013
VSAPI OPR PATTERN File: 10.273.00
VSAPI OPR PATTERN Date: 05 Sep 2013

NOTES:

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Backup Autorun Registry Key

  1. Open the Registry Editor by pressing Windows Key + R , type regedit into the Run input box, and then pressing ENTER.
  2. Locate the key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
  3. Click the File menu, and then click Export.
  4. In the Save in box, select the location where you want to save the backup copy, and then type a name for the backup file in the File name box.
  5. Click Save.
  6. Press delete key then Press the 'yes' button to confirm deletion.

Step 3

Disable Service Registry

  1. Open the Registry Editor by pressing Windows Key + R , type regedit into the Run input box, and then pressing ENTER.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>services>gupdate
  3. In the right panel, locate the registry value:
    ImagePath = "%Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}\{GUID}\GoogleUpdate.exe"
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    ImagePath = "@"
  5. In the right panel, locate the registry value:
    Start = "2"
  6. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Start = "4"

Step 4

For Windows Vista and later versions, you may skip 1 and 2 and just add permission by pressing 'yes' button on permission pop-up, For other Windows operating system versions, you need to assign an owner for the malware folder in order to access/delete it. To do this you need the following steps:

  1. Open the folder %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}
    (Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
  2. In the menu bar above, click Tools>Folder Options>View Tab. Uncheck use simple file sharing (Recommended) then press apply.

  3. Right Click the {GUID} folder and click Properties. Click Security Tab>Advanced button>Owner.
  4. Choose any owner then press 'Apply' button.

  5. Re-open folder Properties then on Security Tab. Checked the Full Control Box (Allow) then click 'Apply' button.
  6. Delete the folder to remove the malware.
  7. Open the folder %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters1}\{unprintable characters2}\{RLO + unprintable characters3}.
  8. In the menu bar above click Tools>Folder Options>View Tab. Uncheck 'use simple file sharing (Recommended)' then press apply.
  9. Right Click the {GUID} folder and click Properties. Click Security Tab>Advanced button>Owner.
  10. Choose any owner then press 'Apply' button.
  11. Re-open folder Properties then on Security Tab. Checked the Full Control Box (Allow) then click 'Apply' button.
  12. Delete the contents of the folder excluding '@' file. (This is non-malicious but can be deleted upon restart).
  13. Restore the registry entries backup in Step 2 by executing the .reg file in saved folder and file name you specified.

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_SIREFEF.AZO. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files.


Did this description help? Tell us how we did.