Home / malwarePDF  

Trojan:Win32/Medfos.B


First posted on 11 April 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Medfos.B is also known as Trojan:JS/Medfos.B (other).

Explanation :

Trojan:Win32/Medfos.B is a trojan that redirects the web browsers Internet Explorer or Mozilla Firefox to other sites.


Top

Trojan:Win32/Medfos.B is a trojan that redirects the web browsers Internet Explorer or Mozilla Firefox to other sites.



Installation

Trojan:Win32/Medfos.B is typically installed by variants of Win32/Medfos. and is present as a DLL file in the %TEMP% folder, for example "TEMP%\btpse.dll".

The system registry is modified to execute the trojan at each Windows start via "rundll32.exe", for example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "btpse"
With data: "rundll32.exe "c:\docume~1\admini~1\locals~1\temp\btpse.dll",startcompressbuffer"



Payload

Redirects Internet Explorer

When browsing the web using Internet Explorer, the trojan awaits and redirects search queries to another site using one of the following uniform resource identifier (URI) methods:

  • <destination domain>/feed?type=live&ua=MSIE
  • <destination domain>/feed?type=<website search>&ua=MSIE


As a result of this action, the malware may redirect the entered website address or searched queries to a certain pay-per-click advertising websites such as the following:

  • googleppcfeed.com
  • highfeedstream.com
  • livefeedstream.com
  • marketingppcfeed.com
  • payviaclick.com
  • ppcstream.com
  • theppcfeed.com


Redirects Mozilla Firefox

Trojan:Win32/Medfos.B installs a Mozilla Firefox extension as the following:

  • %LOCALAPPDATA%\(random CLSID)\chrome\content\browser.xul - detected as Trojan:JS/Medfos.A


The extension is visible as a Mozilla Firefox add-on named "Translate This! 2.0", as shown below:



When browsing the web using Mozilla Firefox, the trojan awaits and redirects search queries to another site using the following URI methods:

  • <destination domain>/feed.php?type={TYPE}&ua=Firefox&ip={random IP}&ref={website search}&uu={data};


As a result of this action, the malware may redirect the entered website address or searched queries to a certain pay-per-click advertising websites such as the following:

  • googleppcfeed.com
  • highfeedstream.com
  • livefeedstream.com
  • marketingppcfeed.com
  • payviaclick.com
  • ppcstream.com
  • theppcfeed.com




Analysis by Ric Robielos

Last update 11 April 2012

 

TOP

Malware :

Family: