Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

Win32:ZAccess-PB [Trj] is a detection for the 32 bit and 64 bit DLL file components of the Sirefef/ZeroAccess malware family. Its main goal is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

Generic.JS.Crypt1.C14787EE is a JavaScript which is able to load different images from different sites, depending on time. As it isn't obfuscated at all, it looks like an ordinary advertisement script to show ads. But it might also be used to generate artificial clicks to harvest money in a pay-per-click advertising system.

This detection belongs to the Sirefef Trojan family's rootkit component. This module file are usually dropped in “%Windows%\Installer\{GUID}\U\” as 80000000.@. They modify/add registry entry “\CLSID\{GUID}\InprocServer32“ to be loaded after boot-up. These modules check the internet connection by accessing www.google.com. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to a Sirefef Trojan component, a dll, and refers to a file named "000000??@" which is usually located at “%Windir%\Installer\U\{GUID}\”. It contains no executable code but an embedded bitcoin miner. With such a miner, the attacker can misuse the infected machine and its performance power to collect/to mine this digital currency online.

This generic detection triggers if files try to exploit the security vulnerability described in CVE-2011-3402. Possible file types showing this behaviour: Specially crafted Microsoft Word documents or speacially crafted font files.
The infected file's aim is to exploit the security vulnerability to perform further malicious action on the victim computer - e.g. downloading and executing any other malware.

This detection belongs to the Sirefef Trojan family's rootkit component. The detected file is usually named "800000cb.@" and can be found in different locations of the operating system. It identifies and manipulates the installed web browser to change search engine results. Its main intention is to lead users to click on these manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the category of potentially unwanted programs (PUP) and comes in free software packages from programs such as Google Earth, Google Chrome etc., which are downloaded from sources other than the provider. Those software packages often come bundled with extras the user potentially does not want to have. In this current case, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extras, that can be installed optionally, are 'Delta Toolbar' and an alleged system helper named "PC Driver Pro". The toolbar changes the browser start page and the default search engine and also prepares the browser to show targeted ads. The optimizer tool can only solve found problems after the user has bought it.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

Its task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). These file was usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

Win32:ZAccess-PB [Trj] is a detection for the 32 bit and 64 bit DLL file components of the Sirefef/ZeroAccess malware family. Its main goal is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

PHP:FakeExt-A [Trj] is a detection for a JavaScript that is loaded by an especially crafted Google Chrome browser extension. The browser extension disguises as video player (an .exe file) which the user is asked to download and to install.
The main intention of the browser extension is, once installed, the increase of Facebook 'likes' for predefined Facebook user accounts and Facebook pages by injecting a script into Facebook every time a browser tab with the URL facebook.com opens.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

Generic.JS.Crypt1.C14787EE is a JavaScript which is able to load different images from different sites, depending on time. As it isn't obfuscated at all, it looks like an ordinary advertisement script to show ads. But it might also be used to generate artificial clicks to harvest money in a pay-per-click advertising system.

This detection belongs to the Sirefef Trojan family's rootkit component. The detected file is usually named "800000cb.@" and can be found in different locations of the operating system. It identifies and manipulates the installed web browser to change search engine results. Its main intention is to lead users to click on these manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the Sirefef Trojan family's rootkit component. This module file are usually dropped in “%Windows%\Installer\{GUID}\U\” as 80000000.@. They modify/add registry entry “\CLSID\{GUID}\InprocServer32“ to be loaded after boot-up. These modules check the internet connection by accessing www.google.com. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

Trojan.Iframe.BMY describes an invisible Iframe which points to a .php file (counter.php) on a remote server. Attackers insert this Iframe at the end of HTML documents. The .php file can be prepared by the attackers to perform malicious activities.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This generic detection triggers if files try to exploit the security vulnerability described in CVE-2011-3402. Possible file types showing this behaviour: Specially crafted Microsoft Word documents or speacially crafted font files.
The infected file's aim is to exploit the security vulnerability to perform further malicious action on the victim computer - e.g. downloading and executing any other malware.

Generic.JS.Crypt1.C14787EE is a JavaScript which is able to load different images from different sites, depending on time. As it isn't obfuscated at all, it looks like an ordinary advertisement script to show ads. But it might also be used to generate artificial clicks to harvest money in a pay-per-click advertising system.

Its task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). These file was usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

This detection belongs to the category of potentially unwanted programs (PUP) and comes in free software packages from programs such as Windows Live Mail, MySQL, etc., which are downloaded from sources other than the provider. Those software packages often come bundled with extras the user potentially does not want to have, such as a toolbar or a function to change the browser start page or similar. In this current case, the software wants to install a Babylon toolbar and Babylon can also be set as browser startpage and default search engine.

This detection belongs to the Sirefef Trojan family's rootkit component. This module file are usually dropped in “%Windows%\Installer\{GUID}\U\” as 80000000.@. They modify/add registry entry “\CLSID\{GUID}\InprocServer32“ to be loaded after boot-up. These modules check the internet connection by accessing www.google.com. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the category of potentially unwanted programs (PUP). In this current case, the detection matches browser plugins for Firefox, IE and Chrome which e.g. suppress the "message seen" functionality in Facebook. The plugins may change the browser's start page and also change the default search engine - both explained in the EULA.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This generic detection triggers if files try to exploit the security vulnerability described in CVE-2011-3402. Possible file types showing this behaviour: Specially crafted Microsoft Word documents or speacially crafted font files.
The infected file's aim is to exploit the security vulnerability to perform further malicious action on the victim computer - e.g. downloading and executing any other malware.

This detection belongs to the category of potentially unwanted programs (PUP) and comes in free software packages from programs such as Windows Live Mail, MySQL, etc., which are downloaded from sources other than the provider. Those software packages often come bundled with extras the user potentially does not want to have, such as a toolbar or a function to change the browser start page or similar. In this current case, the software wants to install a Babylon toolbar and Babylon can also be set as browser startpage and default search engine.

Generic.JS.Crypt1.C14787EE is a JavaScript which is able to load different images from different sites, depending on time. As it isn't obfuscated at all, it looks like an ordinary advertisement script to show ads. But it might also be used to generate artificial clicks to harvest money in a pay-per-click advertising system.

This detection belongs to the Sirefef Trojan family's rootkit component and refers to a file named "80000032.@" which is usually located at "%Windows%\Installer\{GUID}\U\" or "%Recycler%/{GUID}/U". This 32 bit dll module terminates processes, downloads files and tries to connect itself to set URLs/IPs and monitors the Internet traffic. It identifies and manipulates the installed web browser. Thereby it can manipulate search engine results in web browser to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This Detection refers to the "Cool Exploit Pack", which belongs to the group of exploit kits. These kits' purpose is to generate websites to attack Internet surfers in a drive-by-download manner.
Therefore, the website identifies installed browser plugins of the victim, to find some known to be vulnerable and then delivers a matching exploit. Subsequently, the victim is infected with additional malware, e.g. ransomeware, without any further user interaction.
Currently, the "Cool Exploit Pack" tries to exploit the following vulnerabilities: CVE-2006-0003, CVE-2010-0188, CVE-2011-3402, CVE-2012-0507, CVE-2012-1723, CVE-2012-4681.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

This Detection refers to the "Cool Exploit Pack", which belongs to the group of exploit kits. These kits' purpose is to generate websites to attack Internet surfers in a drive-by-download manner.
Therefore, the website identifies installed browser plugins of the victim, to find some known to be vulnerable and then delivers a matching exploit. Subsequently, the victim is infected with additional malware, e.g. ransomeware, without any further user interaction.
Currently, the "Cool Exploit Pack" tries to exploit the following vulnerabilities: CVE-2006-0003, CVE-2010-0188, CVE-2011-3402, CVE-2012-0507, CVE-2012-1723, CVE-2012-4681.

This detection belongs to the category of potentially unwanted programs (PUP).
It is a group of programs such as PC Performer, Video Performer, Application Manager and others. Those programs are often installed (unintentionally) as a bundle with other software.
The problem: The desired software is not loaded directly from the manufacturer, but from thrid-party download portals and they often bundle it with potentially unwanted functions, such as a toolbar or a function to change the browser start page or similar

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This detection refers to a malicios Flash file, containing pornographic content for example. This flash file is integrated into a website and adds an invisible iframe to this site on execution. Thereby the content of other, mostly malicious websites can be integrated into the originally requested website.

This generic detection triggers if files try to exploit the security vulnerability described in CVE-2011-3402. Possible file types showing this behaviour: Specially crafted Microsoft Word documents or speacially crafted font files.
The infected file's aim is to exploit the security vulnerability to perform further malicious action on the victim computer - e.g. downloading and executing any other malware.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the category of potentially unwanted programs (PUP) and comes in free software packages from programs such as Windows Live Mail, MySQL, etc., which are downloaded from sources other than the provider. Those software packages often come bundled with extras the user potentially does not want to have, such as a toolbar or a function to change the browser start page or similar. In this current case, the software wants to install a Babylon toolbar and Babylon can also be set as browser startpage and default search engine.

This detection belongs to the Sirefef Trojan family's rootkit component and refers to a file named "80000032.@" which is usually located at "%Windows%\Installer\{GUID}\U\" or "%Recycler%/{GUID}/U". This 32 bit dll module terminates processes, downloads files and tries to connect itself to set URLs/IPs and monitors the Internet traffic. It identifies and manipulates the installed web browser. Thereby it can manipulate search engine results in web browser to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the category of potentially unwanted programs (PUP).
It is a group of programs such as PC Performer, Video Performer, Application Manager and others. Those programs are often installed (unintentionally) as a bundle with other software.
The problem: The desired software is not loaded directly from the manufacturer, but from thrid-party download portals and they often bundle it with potentially unwanted functions, such as a toolbar or a function to change the browser start page or similar

This detection belongs to a Sirefef Trojan component, a dll, and refers to a file named "000000??@" which is usually located at “%Windir%\Installer\U\{GUID}\”. It contains no executable code but an embedded bitcoin miner. With such a miner, the attacker can misuse the infected machine and its performance power to collect/to mine this digital currency online.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This generic detection triggers if files try to exploit the security vulnerability described in CVE-2011-3402. Possible file types showing this behaviour: Specially crafted Microsoft Word documents or speacially crafted font files.
The infected file's aim is to exploit the security vulnerability to perform further malicious action on the victim computer - e.g. downloading and executing any other malware.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to a Sirefef Trojan component, a dll, and refers to a file named "000000??@" which is usually located at “%Windir%\Installer\U\{GUID}\”. It contains no executable code but an embedded bitcoin miner. With such a miner, the attacker can misuse the infected machine and its performance power to collect/to mine this digital currency online.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

This detection belongs to the category of potentially unwanted programs (PUP).
It is a group of programs such as PC Performer, Video Performer, Application Manager and others. Those programs are often installed (unintentionally) as a bundle with other software.
The problem: The desired software is not loaded directly from the manufacturer, but from thrid-party download portals and they often bundle it with potentially unwanted functions, such as a toolbar or a function to change the browser start page or similar

Win32:Agent-AQOG [Trj] belongs to the group of spyware and particularly aims at passwords. The malware is placed on the infected PC as Firefox plugin (XPCOM) and tries to intercept the login procedure on websites and to send the stolen data to the attackers afterwards.
The follwing websites are targets of the current threat: gmx.de, web.de, freenet.de, 1und1.de, aol.com, arcor.de, google.com, live. com und auch yahoo.com.

This detection belongs to the Sirefef Trojan family's rootkit component for 64 bit operating systems. The Trojan drops a file named "00000004.@" at "%Windir%\Installer\U\{GUID}\" or "%Userdir%/%user%/AppData/Local/{GUID}/U" on the infected system. This file contains resource data which can be used by other components of the Sirefef Trojan.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This 32 bit dll file is one of the components of Sirefef malware. Its task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). These file was usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

This detection belongs to a Sirefef Trojan component, a dll, and refers to a file named "000000??@" which is usually located at “%Windir%\Installer\U\{GUID}\”. It contains no executable code but an embedded bitcoin miner. With such a miner, the attacker can misuse the infected machine and its performance power to collect/to mine this digital currency online.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This 32/64 bit dll file is one of the components of Sirefef malware. Its task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). These files are usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

This detection describes specially crafted PDF files that try to harm the user. The PDF is prepared to exploit a bug in the Libtiff (CVE-2010-0188). All found PDFs with this detection try to connect the victim's PC to a remote URL to download a file from there and execute it.

This detection belongs to the Sirefef Trojan family's rootkit component for 64 bit operating systems. The detected file is usually named "800000cb.@" and can be found under “%Windows%\Installer\U\{GUID}”. This component monitors system processes like "svchost.exe" and is capable of injecting malicious code into these. Furthermore this component uses anti debugging technics to make an analysis more complicated.

This generic detection triggers if files try to exploit the security vulnerability described in CVE-2011-3402. Possible file types showing this behaviour: Specially crafted Microsoft Word documents or speacially crafted font files.
The infected file's aim is to exploit the security vulnerability to perform further malicious action on the victim computer - e.g. downloading and executing any other malware.

This detection belongs to the Sirefef Trojan family's rootkit component. This module file is used for ad-click fraud or other purposes. The file is usually dropped in “%Windows%\Installer\{GUID}\U\” as 80000000.@. It also modifies/adds registry entry “\CLSID\{GUID}\InprocServer32“ to be loaded after boot-up.
The module checks the Internet connection by accessing google.com, then tries to connect to another URL, which is flagged as malicious.
But its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This detection belongs to a Sirefef Trojan component, a dll, and refers to a file named "000000??@" which is usually located at “%Windir%\Installer\U\{GUID}\”. It contains no executable code but an embedded bitcoin miner. With such a miner, the attacker can misuse the infected machine and its performance power to collect/to mine this digital currency online.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This is an encrypted JavaScript loaded on a website with adult content. The JavaScript injects an IFRAME into the website which points to a .php file on a remote server. This .php file steals Facebook user session tokens and sets cookies to preserve the hijacked state. Havin access to the Facebook account, the malware posts a message onto the infected user's wall: "Krist*n St€wart Was T*ap*d Dr*onk & Hav1ng S*ex!" with a shortened URL that should lure other Facebook users to click.

This 32 bit dll file is one of the components of Sirefef malware. Its task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). These file was usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

This 32 bit dll file is one of the components of Sirefef malware. Its task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). These file was usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

This detection belongs to the Sirefef Trojan family's rootkit component for 64 bit operating systems. The detected file is usually named "800000cb.@" and can be found under “%Windows%\Installer\U\{GUID}”. This component monitors system processes like "svchost.exe" and is capable of injecting malicious code into these. Furthermore this component uses anti debugging technics to make an analysis more complicated.

This detection belongs to a Sirefef Trojan component, a dll. It contains no executable code but an embedded bitcoin miner. With such a miner, the attacker can misuse the infected machine and its performance power to collect/to mine this digital currency online.
The DLL file is usually dropped in “%Windir%\Installer\U\{GUID}\” as “000000??@”.

This detection belongs to the Sirefef Trojan family's rootkit component for 64 bit operating systems. The Trojan drops a file named "00000004.@" at "%Windir%\Installer\U\{GUID}\" or "%Userdir%/%user%/AppData/Local/{GUID}/U" on the infected system. This file contains resource data which can be used by other components of the Sirefef Trojan.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to a Sirefef Trojan component, a dll, and refers to a file named "000000??@" which is usually located at “%Windir%\Installer\U\{GUID}\”. It contains no executable code but an embedded bitcoin miner. With such a miner, the attacker can misuse the infected machine and its performance power to collect/to mine this digital currency online.

This detection belongs to the Sirefef Trojan family's rootkit component for 64 bit operating systems. The detected file is usually named "800000cb.@" and can be found under “%Windows%\Installer\U\{GUID}”. This component monitors system processes like "svchost.exe" and is capable of injecting malicious code into these. Furthermore this component uses anti debugging technics to make an analysis more complicated.

This 32-bit dll file is one of the components of Sirefef malware. Its main task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.
This file is usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

This detection belongs to the Sirefef Trojan family's rootkit component and refers to a file named "80000032.@" which is usually located at “%Windows%\Installer\{GUID}\U\”. This 32 bit dll module terminates processes, downloads files and tries to connect itself to set URLs/IPs and monitors the Internet traffic. It identifies and manipulates the installed web browser. Thereby it can manipulate search engine results in web browser to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the category of potentially unwanted programs (PUP) and comes in free software packages from programs such as FLV Player, PDF Reader, etc., which are downloaded from sources other than the provider. Those software packages often come bundled with extras the user potentially does not want to have, such as a toolbar or a function to change the browser start page or similar. In this current case, the software wants to install a toolbar.

This detection belongs to the Sirefef Trojan family's rootkit component for 64 bit operating systems. The Trojan drops a file named "00000004.@" at "%Windir%\Installer\U\{GUID}\" or "%Userdir%/%user%/AppData/Local/{GUID}/U" on the infected system. This file contains resource data which can be used by other components of the Sirefef Trojan.

This detection belongs to a Sirefef Trojan component, a dll. It contains no executable code but an embedded bitcoin miner. With such a miner, the attacker can misuse the infected machine and its performance power to collect/to mine this digital currency online.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the Sirefef Trojan family's rootkit component for 64 bit operating systems. The Trojan drops a file named "00000004.@" at "%Windir%\Installer\U\{GUID}\" or "%Userdir%/%user%/AppData/Local/{GUID}/U" on the infected system. This file contains resource data which can be used by other components of the Sirefef Trojan.

This detection belongs to the Sirefef Trojan family's rootkit component. The 64 bit dll module file terminates processes, downloads files and tries to connect itself to set URLs/IPs and monitors the Internet traffic. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the Sirefef Trojan family's rootkit component and refers to a file named "80000032.@" which is usually located at “%Windows%\Installer\{GUID}\U\”. This 32 bit dll module terminates processes, downloads files and tries to connect itself to set URLs/IPs and monitors the Internet traffic. It identifies and manipulates the installed web browser. Thereby it can manipulate search engine results in web browser to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the Sirefef Trojan family's rootkit component for 64 bit operating systems. The detected file is usually named "800000cb.@" and can be found under “%Windows%\Installer\U\{GUID}”. This component monitors system processes like "svchost.exe" and is capable of injecting malicious code into these. Furthermore this component uses anti debugging technics to make an analysis more complicated.

This detection belongs to one of the Sirefef Trojan family's rootkit components. Depending on the operating systems version the file is named "80000032.@" or "80000064.@" and can be found under “%Windows%\Installer\{GUID}\U\”. This dll module terminates processes, downloads files and tries to connect itself to set URLs/IPs and monitors the Internet traffic.
It identifies and manipulates the web browser of the infected operating system. Thereby
search engine results are manipulated to lead users to click on these results and therefore generate money for the attackers (pay per click ads).

Generic.JS.Crypt1.C14787EE is a JavaScript which is able to load different images from different sites, depending on time. As it isn't obfuscated at all, it looks like an ordinary advertisement script to show ads. But it might also be used to generate artificial clicks to harvest money in a pay-per-click advertising system.

This detection belongs to the Sirefef Trojan family's rootkit component. The detected file is usually named "800000cb.@" and can be found in different locations of the operating system. It identifies and manipulates the installed web browser to change search engine results. Its main intention is to lead users to click on these manipulated results and therefore generate money for the attackers (pay per click ads).

This is an encrypted JavaScript loaded on a website with adult content. The JavaScript injects an IFRAME into the website which points to a .php file on a remote server. This .php file steals Facebook user session tokens and sets cookies to preserve the hijacked state. Havin access to the Facebook account, the malware posts a message onto the infected user's wall: "Krist*n St€wart Was T*ap*d Dr*onk & Hav1ng S*ex!" with a shortened URL that should lure other Facebook users to click.