Worm.Win32.Sirana

General Explanation

Type: Worm

Degree of destruction: high

Prevalence: average

Names of the malware:

  • Worm.Win32.Sirana
  • Worm.MSIL.Sirana

What is the Worm?

Computer worms such as Sirana are types of malware that are capable of reproduction. For permanence, worms set ways to maintain the infection in each system boot. The prominent feature of worms is in their distribution which is generally performed through portable drives and shared directories in the network.

What is Sirana malware?

Sirana malware is a worm type. This malware is distributed through email and by hiding itself in the format of the attached form of a subpoena from the judiciary. This malware after installation and automatic execution, logs all entered data by the user and through the keyboard, and also it is sensitive to sites and pages of Iran banks and will take images of the user clicks on these pages. In this way (even if the user does not use the secure keyboard of the site) the bank card information and also username and password will be stored in different sites by this malware and eventually will send to the malware author.

Technical Explanation

Signs of infection

This malware will be created in the portable drive [FolderName].exe (it’s the name of a directory inside the portable drive) and then will hide the main directory. So the malware will be placed in the system and WindowsHostManager.exe path.

%AppData%\Adobe

The malware will create the following files:

  • %User Profile%\Application Data\Adobe \HostService.exe
  • %User Profile%\Application Data\Adobe\Flash Player\AFCache\sysLog17-02-08.dat
  • %User Profile%\Application Data\Adobe\Flash Player\AFCache\err\.jepg

The following registry key builds into the system.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HostService

Two hooks of the types Wh_KEYBOARD_LL and WH_MOUS_LL are installed.

How to deal with it and disinfect the system

Strictly, it is recommended to users before opening any email attachments be sure the sender is authenticated and also use a domestic updated anti-virus.

By UMP capability which is a part of behavioral protection, Padvish can prevent the system from infection through a portable drive. Therefore, to prevent infection to all types of malware that transfer through portable drives such as Sirana malware, it is recommended to install Padvish and prevent malware from entering and infecting the system.

If your system is infected by the Sirana malware act as follows:

  1. Install Padvish on your system
  2. Connect the infected portable drive to the system
  3. Scan the portable drive by Padvish to disinfect both your system and the portable drive.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>