Home / malware Trojan:Win64/Sirefef.Y
First posted on 31 May 2012.
Source: MicrosoftAliases :
Trojan:Win64/Sirefef.Y is also known as Trojan.Sirefef.FR (BitDefender), Win64/Sirefef.W (ESET), ZeroAccess (McAfee).
Explanation :
Trojan:Win64/Sirefef.Y is a component of Win64/Sirefef - a multi-component family of malware that moderates your Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing the main payload.
It provides selected function calls for Win64/Sirefef to establish network connections.
Installation
Trojan:Win64/Sirefef.Y hooks the API "WSPStartup" to enable it to run.
Payload
Replaces system APIs
Trojan:Win64/Sirefef.Y replaces the following system APIs with its own malicious versions, so that calles to them run the malicious version instead:
- AcceptEx
- GetAcceptExSockaddrs
- Getnetbyname
- Inet_network
- NSPStartup
- TransmitFile
Performs system changes
Trojan:Win64/Sirefef.Y prevents the firewall from working properly by stopping the service "MpsSvc", which is a part of the firewall.
It also opens and listens on port 25700, possibly for commands from a remote attacker.
Analysis by Jim Wang
Last update 31 May 2012