Home / malware Trojan:Win32/Medfos.gen!A
First posted on 26 July 2012.
Source: MicrosoftAliases :
Trojan:Win32/Medfos.gen!A is also known as Trojan.Win32.Jorik.Midhos.axf (Kaspersky), TR/Medfos.A.1090 (Avira), Win32/Medfos.AM trojan (ESET), Medfos.i (McAfee), TROJ_MEDFOS.UQ (Trend Micro).
Explanation :
Trojan:Win32/Medfos.gen!A is a malicious DLL component dropped and installed by other Win32/Medfos files. It tries to download and install arbitrary files in your computer.
Installation
Trojan:Win32/Medfos.gen!A is a Dynamic Link Library (DLL) file usually found in the "%AppData%" or "%TEMP%" folder with a random file name. The following are some of the file names that it has been found to have:
- amutse.dll
- apapsc.dll
- brmgh.dll
- csretb.dll
- drfdv.dll
- hecens.dll
- hlpcnt.dll
- mondi.dll
- ndsas.dll
- nsotb.dll
- ohest.dll
- sbtuil.dll
It may create the following registry entry to be able to load itself at every Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random name>"
With data: "rundll32.exe <path and DLL malware file name>,<random characters>"
For example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "amutse"
With data: "rundll32.exe "%AppData%\amutse.dll",createinfowindow"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ndsas"
With data: "rundll32.exe "%AppData%\ndsas.dll",CreateLogFile"
Payload
Downloads arbitrary files
Trojan:Win32/Medfos.A connects to various servers using HTTP via port 80. Once connected, it attempts to download arbitrary files. This trojan has been observed to connect to the following servers:
- filehostingdirect.net
- greatfilehosting.com
- midifilehosting.com
The sites were unavailable at the time of this writing.
Analysis by Wei Li
Last update 26 July 2012
