The family added to the February release of the Malicious Software Removal Tool is Win32/Sirefef. Win32/Sirefef is a highly prevalent complex multi-component family which continues to evolve. The payload for current variants may include such actions as modifying browser search engine results, generating pay-per-click revenue and performing Bitcoin mining on an affected computer.

 

The first detection for Sirefef was added in July 2009. Whilst the form of some malware families remains relatively constant over time, Sirefef is a family whose form has changed drastically over multiple generations. Active Sirefef variants are also diverse. For example, there are at least three different fundamental Sirefef installation packages which are currently being distributed.

 

Sirefef has grown in prevalence over time and may arrive on a machine via a number of methods. We have observed Sirefef installed via exploit, especially via kits such as Blackhole. Sirefef may also be installed by a wide variety of other malware, including variants of the Win32/Beebone family (such as TrojanDownloader:Win32/Beebone.gen!A), the Win32/Karagany family (such as TrojanDownloader:Win32/Karagany.I), and the Win32/Dofoil family, to name just a small number. Another distribution method is via social engineering, employing the use of typical enticing filenames related to cracks, keygens and pirated software to encourage a user to run the malware.

Here are some example filenames:

 

For additional details, you can read our Win32/Sirefef family description.