**attention**
This virus can be hiding in different folders here is a link to another Sirefef removal:
http://www.mybloggo.com/how-i-removed-desktop-ini-virusmalware/#more-118
Arrival Details
This virus can be hiding in different folders here is a link to another Sirefef removal:
http://www.mybloggo.com/how-i-removed-desktop-ini-virusmalware/#more-118
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan creates the following folders: FIND and DELETE
- %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}
- %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\U
- %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\L
- %Windows%\Installers\{082f346d-1afd-ef95-7a41-5848b36bed23}
- %Windows%\Installers\{082f346d-1afd-ef95-7a41-5848b36bed23}\U
- %Windows%\Installers\{082f346d-1afd-ef95-7a41-5848b36bed23}\L
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Other System Modifications
This Trojan modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32
@ = "\.\globalroot\systemroot\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\n."
CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32
@ = "\.\globalroot\systemroot\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\n."
Note: The default value data for (default) entry is %System%\wbem\wbemess.dll
Note: The default value data threadingModel is "Both"
Note: The default value data threadingModel is "Both"
-------------------------------------------------------------------------------------------------------
HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\
InProcServer32
@ = "%Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\n."
InProcServer32
@ = "%Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\n."
Note: The default value data for (default) entry is %System%\system32\shell32.dll
Note: The default value data threadingModel is "Apartment"
Dropping Routine
This Trojan drops the following files: FIND and DELETE
- %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\@
- %Application Data%\{082f346d-1afd-ef95-7a41-5848b36bed23}\n
- %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\@
- %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\n
- %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\U\00000001.@
- %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\U\80000000.@
- %Windows%\Installer\{082f346d-1afd-ef95-7a41-5848b36bed23}\U\800000cb.@
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
