is a component of Win64/Sirefef - a multi-component family of malware that moderates your Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing the main payload.
It provides selected function calls for Win64/Sirefef to establish network connections.
hooks the API "WSPStartup" to enable it to run.
Replaces system APIs
replaces the following system APIs with its own malicious versions, so that calles to them run the malicious version instead:
Performs system changes
prevents the firewall from working properly by stopping the service "MpsSvc", which is a part of the firewall.
It also opens and listens on port 25700, possibly for commands from a remote attacker.
Analysis by Jim Wang
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.