1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Sefnit Activity

System Infected: Trojan.Sefnit Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic generated by Trojan.Sefnit which could lead to further infection of the affected system.

Additional Information

When the Trojan is executed, it creates the following file:
%UserProfile%\Application Data\acxmapdb\AgerePadClock.dll

It then creates the following registry subkey:
HKEY_CLASSES_ROOT\CLSID\{4fc3d0c1-7d9a-4c56-aa94-d5eb3997e46e}

The Trojan also creates the following registry entry, so that it starts when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"AgerePadClock" = "rundll32.exe "%USERAPPDATA%\acxmapdb\AgerePadClock.dll",isaAuthenticationInit SyncWISupport"

The Trojan monitors both Internet Explorer and Mozilla Firefox Web browsers and redirects searches made using the following URLs:
search.live.com
google.com
yahoo.com
bing.com


The threat may redirect these search queries to the following address:
[http://]94.228.209.142

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube