Sunday, June 17, 2012


THERE 'S A NEW TROJAN IN TOWN:

"trojan:win64/sirefef.y"

[and it's a tough adversary - should you get it]



Yes, you could almost call this "A Tale of Two Brian's", but I leave it at that and tell you this Trojan is smart, clever, and as frustrating as another Trojan was back at the first of the year! The Trojan let's you log into your PC, and as you fervently try to get Malwarebytes going (or anything else), it reboots your system. The time it lets your PC stay "UP", is in the 50 second to just under 2 minutes time frame- You are then informed via pop-up it's shutting down the computer.

Safemode? Safemode w/networking? safemode command prompt? same results. After an hour of sweat layered on my skin I began to think "This is one of those rare ones that I'm going to have to bring back to the shop" (I even brought in my two wheeler after the first hour).

I had my Microsoft "OFFLINE DEFENDER SECURITY CD" with me which identified the files, but when it came to deleting them all I got was an error message. I did write down the path though, just as the whistle blew telling me it was the 7th inning stretch and time was running out - 2 more inning's and it was back to the showers. 

Basically what worked:

Using the customers other PC (laptop) I d/l'd the latest 64bit version of "Offline Defender" from MS (making a USB stick a bootable Offline Defender), ran the scan and it found it, and removed it (twice)

Next, PC allowed me to do multiple runs of Combofix, autoruns, Malwarebytes, etc.

Several combofix/Mbam's later and so far - 2 days later, the customer has seen no further problems.

The "other" Brian, whose image is distorted as he is now in the "virus protection system"

P.S.- Many thanks to the unnamed "Brian" who was savvy enough to read up on the Trojan and try a few things before I arrived that saved me time!

No comments:

Post a Comment