Sirefef refers to a family of stealthy malicious files that come in several known variants. Computers are most commonly infected with Sirefef through social engineering attacks poisoned up ads; and malicious files disguised as program or software updates.

The trait that defines and unites all Sirefef variants is the ability to remain hidden in infected computers using rootkit technology while simultaneously downloading more noticeable components. Sirefef is able to do this by effectively disabling antivirus services and processes from running in a computer, even if these antivirus programs were already initially installed.

Once infected, a computer becomes part of the massive Sirefef botnet, a network of click scheme that generates revenues and commission from fake click traffic. Online security experts and analysts estimate that Sirefef variants have been installed globally over 9 million times, mostly in the United States, with an estimated worldwide size of around 1 million infected computers.

Visible Symptoms of Sirefef Infection

Sirefef infections peaked during the middle of 2012. Most antivirus companies have since caught up and have made available updates that could detect and remove malicious Sirefef files. These updates must be immediately installed as soon as they are made available by the antivirus software one is using.

Even without the aid of antivirus software, however, Sirefef infection usually displays itself in the following visible symptoms:

  1. Abrupt changes in the homepage of the browser one is using and in the icons on one’s desktop.
  2. Unexplained redirects to unknown web pages when using search engines like Google, Yahoo!, or Bing.
  3. Unwanted ads start popping up.
  4. Computer and Internet functionality become increasingly slow.

While a computer displays these visible symptoms of Sirefef infection, the malicious file itself starts operating in stealth, connecting to malicious websites and downloading malicious components, thus making the infected computer more at risk for possible remote manipulation, information theft and other related threats.

Infected Files and Registries

Variants of Sirefef are known to create folders with random numbers and letters for file names in a computer’s %Application Data% and %Windows% folders. Inside these folders, Sirefef then drops malicious files, usually with file names like “@,” “X,” “n” or a random series of numbers.

To enable it to automatically execute every time a computer starts up, Sirefef adds the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\8c0f0459
ImagePath = “\systemroot\{file name}.exe”

It also adds the following registry:

HKEY_CURRENT_USER\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon Shell = “%Application Data%\{folder name}\{file
name}”

Also as part of its installation routine, Sirefef creates several entries under the following registries:

HKEY_CLASSES_ROOT\Interface\
HKEY_CURRENT_USER\Software\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List%Windows%\

Variants of Sirefef are also found to infect the services.exe file to trick Windows into loading the malicious file Sirefef has dropped on a computer instead of a legitimate one like a program installer.

Manual Removal

Because of the high risks, like information theft and abuse by malicious users, which Sirefef poses on infected computers and users, the malware and all its traces should be removed immediately and PCs should be rid of it without delay. One can manually remove Sirefef by terminating its processes, deleting malicious files and removing its registries, taking the following steps:

  1. Make sure all important files and system registries are saved and properly backed up before performing the clean up.
  2. Restart computer into Safe Mode with Networking.
  3. Delete all Sirefef associated files and folders. These could be found on the %Application Data% folder (which is usually C:\Documents and Settings\{username}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7) and %Windows% folder (which is usually C:\Windows).
    Sirefef files usually have file names like “@,” “X,” “n” or a random series of numbers.
  4. Press CTRL+ALT+DEL to open the Task Manager. Right click on random running .exe processes and hit “End Process.”
  5. Go to the Start Menu and click “Run.” Type “regedit” and click “OK.” This will open the Windows Registry Editor.
    Delete all Sirefef associated registry entries found under the following registries:HKEY_CLASSES_ROOT\Interface\
    HKEY_CURRENT_USER\Software\
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
    StandardProfile\AuthorizedApplications\Lit%Windows%\
  6. Restart computer to Normal Mode.