Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


Posts Tagged ‘sirefef’
May 29th, 2013

Analysis of a self-debugging Sirefef cryptor

Recently I wrote a blog post about a legitimate website spreading Sirefef malware. Then I continued with a deeper analysis and noticed that it uses an interesting cryptor.

Malware authors spread many new variants of malware every day. These variants often look completely different at the first glance. That’s why regular updates of your antivirus is important. However, when we look deeper into most malware spreading these days, we see that the core functions do not change very often. Most of the variability of today’s malware is caused by encapsulating it by so-called “cryptors.”

In most cases, these cryptors are pretty boring pieces of software. They usually take seemingly random data from the malicious file, reshuffle them in a correct way, so that these bytes then become an executable code, and then they execute them. However, authors of Sirefef malware often come up with more interesting methods of loading their programs, and we will look at their method in this blog post.

Now, let’s get to Sirefef. Soon after it is executed, we can see the following scheme.

Read more…

Categories: analyses, Virus Lab Tags: ,
Comments off
May 3rd, 2013

Regents of Louisiana spreading Sirefef malware

I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.

govt_la_000 Read more…

Categories: analyses, Virus Lab Tags:
February 13th, 2013

Avast antivirus 2012 trial? No, just a scam

I don’t know what kind of curiosity leads people to the dark corners of the internet, when they want to obtain a new version of antivirus software. It’s somehow irrational to find security software at insecure places. But…. it happens.

FP submission

FP submission

As you can see, the file name is Avast_Antivirus_2012_Trial_Verion.exe – but it is definitely not a proper setup released by us. Here are some facts, that are worth remembering:

Read more…