arrow_back
search
close

TROJ_SIREFEF.OI

October 09, 2012
 Analysis by: Roland Marco Dela Paz
 ALIASES:

Trojan:Win32/Sirefef.P (Microsoft); Mal/ZAccess-D (Sophos)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003, Windows 7

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

05 Apr 2012

Payload:

Terminates processes, Downloads files, Connects to URLs/IPs

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This Trojan modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\SubSystems
Windows = "%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=consrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

(Note: The default value data of the said registry entry is %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16.)

Process Termination

This Trojan terminates the following services if found on the affected system:

  • Windows Defender
  • windefend
  • iphlpsvc
  • wscsvc
  • mpssvc

NOTES:

This Trojan monitors its autostart registry and restores the entry to consrv if any changes were detected. It then edits the Winsock2 registry and changes all of the entries under the Winsock registry to the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
LibraryPath = "mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
PackedCatalogItem = "mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
LibraryPath = "mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
PackedCatalogItem = "mswsock.dll"

It then drops the following files (replace if existing) under %Systemroot%\assembly:

  • GAC_32\Desktop.ini
  • GAC_64\Desktop.ini

Note that these binaries only act as loaders for the following files:

  • \\.\globalroot\systemroot\assemvly\temp\u\80000032.@
  • \\.\globalroot\systemroot\assemvly\temp\u\80000064.@

These two binaries are not included in this malware and may be dropped by another malware.

It also replaces the Section Object \\KnownDlls\mswsock.dll and \\KnownDlls32\mswsock.dll with these files. This means that if MSWSOCK.DLL is loaded, Desktop.INI is loaded instead.

It then searches for the svchost.exe process whose command line contains netsvcs. A new thread is then injected to this remote process. This thread is responsible for loading the third binary in memory. It copies the contents of the third binary into a new section and calls the entry point to execute the malicious routine.

This last binary us responsible for the following routines:

  • Download additional components
  • Inject components into memory
  • Listen for backdoor commands

After all of these routines, this Trojan use LoadLibrary in order to load the original winsrv.dll file found in the registry.

It connects to the site http://promos.{BLOCKED}g.com/geo/txt/city.php to check the city location of the affected machine based on IP address.

Its downloaded .DLL file, which is also detected as TROJ_SIREFEF.OI, is responsible for hijacking Internet traffic and search engine results, and redirecting requests to malicious websites. To do this, it monitors any of the following browsers:

  • Avant
  • Google Chrome
  • Internet Explorer
  • Maxthon
  • Mozilla Firefox
  • Netscape
  • Safari

It then hijacks the browser session if it finds any of the strings below on the browser address bar:

  • &xref=
  • .ask.com
  • .facebook.
  • .facebook.
  • .google.
  • /aol/search?
  • /dnserror
  • /gen_204?
  • /search/results.php?
  • /search;
  • /search?
  • 37millionminutes.com
  • ?xurl=
  • about:
  • blinkx.com
  • complete
  • dailymotion.com
  • egotv.com
  • eyehandy.com
  • gourmandia.com
  • interactive
  • mevio.com
  • res://
  • search.aol.
  • search.icq.com
  • search.yahoo.
  • videobash.com
  • WebBrowser
  • www.bing.com
  • www.google.

  SOLUTION

Minimum Scan Engine:

9.200

FIRST VSAPI PATTERN FILE:

8.888.03

FIRST VSAPI PATTERN DATE:

05 Apr 2012

VSAPI OPR PATTERN File:

8.889.00

VSAPI OPR PATTERN Date:

05 Apr 2012

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
    • From: Windows = "%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=consrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
      To: Windows = "%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

Step 4

Search and delete these files

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Windows%\assembly\GAC_32\Desktop.ini
  • %Windows%\assembly\GAC_64\Desktop.ini

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_SIREFEF.OI. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 6

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
LibraryPath = "mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
PackedCatalogItem = "mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
LibraryPath = "mswsock.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
PackedCatalogItem = "mswsock.dll"

NOTES:

For users running Windows 7 64-bit,

Please perform the following set of instructions before proceeding to Step 4 above.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE\System\Select
  3. In the right panel, locate the following registry entry and take note of the value:
    LastKnownGood = {number}
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE\ControlSet00{noted number}\Control\Session Manager\Subsystem
  5. In the right panel, locate the registry value:
    Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
  6. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
  7. Restart your computer.
  8. Press F8 after the Power-On Self Test (POST) routine is done. If the Advanced Boot Options menu does not appear, try restarting then pressing F8 several times after the POST screen appears.
  9. On the Advanced Boot Options menu, use the arrow keys to select the Last Known Good Configuration option then press Enter.
  10. Check if the registry still contains consrv. If not you may delete the file consrv.dll.
    Note: If you are not able to do #8 at first attempt or consrv is still in your registry in #10, perform steps again from #1 of this solution set.


Did this description help? Tell us how we did.