Encyclopedia entry
Updated: Nov 02, 2011 | Published: Oct 05, 2011
Aliases
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Updated: Nov 02, 2011 | Published: Oct 05, 2011
Aliases
-
Trojan.Win32.Sirefef (Ikarus)
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
| Detection last updated: Definition: 1.121.1275.0 Released: Mar 10, 2012 | Detection initially created: Definition: 1.113.1022.0 Released: Oct 05, 2011 |
Summary
Trojan:Win32/Sirefef.J is a component of the Win32/Sirefef family. It simulates clicks on a banner, possibly in connection to a pay-per-click scheme that generates revenue for the owner of the website.
Symptoms
Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.
Technical Information (Analysis)
Trojan:Win32/Sirefef.J is a component of the Win32/Sirefef family. It simulates clicks on a banner, possibly in connection to a pay-per-click scheme that generates revenue for the owner of the website.
Payload
Simulates banner clicks
Trojan:Win32/Sirefef.J looks for a DNS server by looking for the registry values "NameServer" and "DhcpNameServer" in the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*
Trojan:Win32/Sirefef.J queries found DNS servers to resolve the host "counter.yadro.ru". It then makes an HTTP GET request every 15 minutes to a URL in this host.
It spoofs the Referer field so that clicks to the host look like they come from "ysearch.com".
Analysis by Horea Coroiu
Žádné komentáře:
Okomentovat