Sirefef Description

Type: Trojan

Sirefef is a multi-component malware family that has been very active in 2012. Commonly known as a variant of the infamous ZeroAccess family of rootkits, any infection associated with a Sirefef component is considered extraordinarily severe by ESG security researchers. ESG security analysts strongly recommend using an advanced anti-malware solution with anti-rootkit capabilities to remove any component in the Sirefef family. Due to Sirefef's advanced rootkit techniques, this malware infection can evade detection and removal and improper removal can lead to irreparable operating system damage. Because of this, ESG malware analysts strongly dissuade any attempt to remove any Sirefef component manually.

Since there are many components involved in a Sirefef infection and countless variants of this malware infection, the actual payload of this infection varies from one case to another. ESG security researchers have noted that the Sirefef family of malware has been used to protect and install browser hijackers, fake security programs (Sirefef has been particularly linked to a massive outbreak of FakeVimes infections in 2012), and banking Trojans. However, most variants in the Sirefef family will have the following features:

  1. Malware in the Sirefef family has the ability to set up a backdoor into the compromised computer and contact a remote host in order to receive or send data.
  2. Sirefef malware can download and execute malicious files from a remote server.
  3. Malware components of the Sirefef family use advanced rootkit techniques to evade detection by most security programs and have the ability to disable many security applications and Windows components that are not properly updated.

Malware in the Sirefef family tend to infect system drivers and can reinstall themselves automatically after removal. They will also use advanced encryption to hide their components in a hidden file system within the infected hard drive. Due to the severity of a Sirefef-related infection, some essential system files may become irrevocably corrupted. In these cases, it may be necessary to reinstall your operating system and lose your data completely. The AA, AC, and AH variants of the Sirefef family (Trojan:Win32/Sirefef.AA, for example) will typically infect the victim's computer system so severely that it may be necessary to wipe the victim's hard drive and reinstall Windows entirely in order to be completely sure that the Sirefef infection has been removed completely.

Technical Information

File System Details

Sirefef creates the following file(s):
# File Name Size MD5 Detection Count
1 %WINDIR%\system32\ARCSOFTVIRTUALCAPTURE.dll 5,632 11028c6a84a967070cb1286550f2058f 21
2 %SystemDrive%\RECYCLER\S-1-5-21-1454471165-2000478354-1801674531-1003\$82d97a3c8802be0606cf59ba8c0b2a9d\n. 52,736 ae3981ec9692fcc8861db818e761bff8 3
3 afd.sys N/A
4 mrxsmb.sys N/A
5 i8042prt.sys N/A
6 netbt.sys N/A
7 raspppoe.sys N/A
8 win32k.sys N/A
9 ipsec.sys N/A
10 serial.sys N/A
11 file.exe 270,336 17ccd894ee2ac81292487a367ac84c53 0
More files

Related Posts

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.


Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.