Home / malwarePDF  

Win32/Medfos


First posted on 11 September 2012.
Source: Microsoft

Aliases :

Win32/Medfos is also known as TR/Midhos (Avira), Trojan.Win32.Midhos (Kaspersky), Win32/Medfos (ESET), Medfos (McAfee), Trojan/Win32.Midhos (AhnLab), Trojan.Win32.Medfos (Ikarus).

Explanation :



Win32/Medfos is a family of trojans that may download additional malware, install malicious extensions for Internet browsers and redirect search engine results.

In the wild, we have observed variants of Win32/Medfos being distributed by the Blacole exploit kit, bundled with Win32/Sirefef variants and downloaded by TrojanDownloader:Win32/Beebone variants.



Installation

When run, variants of Win32/Medfos copy themselves as a DLL with a random name to the %APPDATA% folder. In the wild we have observed the following file names:

  • %APPDATA%\pcpat.dll
  • %APPDATA%\tpleto.dll


Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".

The malware then immediately runs its copy.

If you are logged on as an administrator, Win32/Medfos modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<name of DLL file>", for example "pcpat"
With data: "rundll32.exe <copied file>,<random export name>", for example "rundll32.exe pcpat.dll,AInputStream"

If you are not logged on as an administrator, the malware modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<name of DLL file>", for example "pcpat"
With data: "rundll32.exe <copied file>,<random export name>", for example "rundll32.exe pcpat.dll,AInputStream"



Payload

Contacts remote host

Variants of Win32/Medfos attempt to connect to the IP address "78.140.131.158" to report infection and download additional files.

Download and installs other malware

The malware may download and run a DLL file with a random name to the %TEMP% folder, for example:

%TEMP%\bdylut.dll

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Temporary files folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".

This file is detected as Trojan:Win32/Medfos.B, which is a search-engine redirection component of the Win32/Medfos family.

If you are logged on as an administrator, Win32/Medfos modifies the following registry entry to ensure that the downloaded file runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<name of DLL file>", for example "bdylut"
With data: "rundll32.exe <%TEMP%>\<downloaded file>,<random export name>", for example "rundll32.exe C:\Users\<user name>\AppData\Local\Temp\bdylut.dll,ExceptionMatches"

If you are not logged on as an administrator, the malware modifies the following registry entry to ensure that the downloaded file runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<name of DLL file>", for example "bdylut"
With data: "rundll32.exe <%TEMP%>\<downloaded file>,<random export name>", for example "rundll32.exe C:\Users\<user name>\AppData\Local\Temp\bdylut.dll,ExceptionMatches"

The malware injects the downloaded file into Internet Explorer processes to enable its Internet search-redirection payload.

Win32/Medfos may install a search-engine hijack extension for Mozilla Firefox. This extension is also part of Trojan:Win32/Medfos.B, and may be detected as Trojan:JS/Medfos.A.

The extension is installed as %LOCALAPPDATA%\{<random unique identifier>}\chrome\content\browser.xul, for example %LOCALAPPDATA%\{535C840F-E52A-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul

Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Local Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Local".

In the wild we have observed the Firefox extension with the following names:

  • Mozilla Safe Browsing 2.0.14
  • Traqnslate This! 2.0


Redirects Internet search results

Win32/Medfos monitors the searches you make with the following search engines:

  • AOL
  • Ask
  • Bing
  • Google
  • Yahoo


The malware sends your search queries and their results to a remote server.

We have observed variants of Win32/Medfos connecting to the following remote servers:

  • 85.17.132.53
  • 4.clickfeedbestppc.com


When you click the search result, the malware redirects you to a URL that it has retrieved from the remote server.

You could be redirected to advertisements or to the actual search result. In the wild, we observed that search results were redirected to "googleads.l.doubleeclick.net".

Related encyclopedia entries

Blacole exploit kit

TrojanDownloader:Win32/Beebone

Win32/Sirefef

Trojan:Win32/Medfos.B

Trojan:JS/Medfos.A



Analysis by Shawn Wang

Last update 11 September 2012

 

TOP

Malware :