Home / malware Trojan:Win32/Medfos.X
First posted on 01 February 2013.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Medfos.X.
Explanation :
Trojan:Win32/Medfos.X is a trojan that is used to drive Internet traffic to specific websites without your consent.
It retrieves information from a remote website, specifically search keywords, and websites to direct your computer to (perform simulated clicks and access advertisements; this is a method often used to increase traffic to a specific website).
Installation
Trojan:Win32/Medfos.X can be dropped and executed other malware, or you may encounter it when you visit a compromised website.
It creates a registry key to ensure that it runs each time you start your computer:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file>"
With data: " %AppData%\<malware file>.dll,<exported function> "
The malware file name and exported function may change; in the wild, we have observed Trojan:Win32/Medfos.X using the file name "prete", and any of the following exported functions:
- FlagsFilename
- GetFuncDesc
- ImportWarning
- RealAsDouble
- write_row
Payload
Monitors Internet activity
It also hooks on the following API functions from processes like Internet Explorer to monitor your Internet activity.
- CreateProcessAsUserW
- CreateFileW
- CreateProcessW
- LoadLibraryW
- WriteFile
Contacts remote hosts
Trojan:Win32/Medfos.X connects to various remote servers using HTTP protocol (port 80) and attempts to get information about search keywords to perform on search engines to influence its algorithm in ranking websites.
The trojan has been observed contacting domains with the following suffixes:
- 11va1l4.<BLOCKED>4reporting<dot>com
- 11va1n4<BLOCKED>online<dot>com
- m<BLOCKED>reporter<dot>com
Analysis by Zarestel Ferrer
Last update 01 February 2013