Home / malware Trojan:Win32/Medfos.W
First posted on 19 December 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Medfos.W.
Explanation :
Trojan:Win32/Medfos.W is a malicious component dropped and installed by other Win32/Medfos files. It tries to download and install arbitrary files in your computer.
Installation
Trojan:Win32/Medfos.W is a Dynamic Link Library (DLL) file usually found in the "%AppData%" or "%TEMP%" folder with a random file name. The following are some of the file names that we have observed it using:
- dplsy.dll
- phltbt.dll
It creates the following registry entry to ensure that it runs each time you start your computer, and that its API is called too:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random name>"
With data: "rundll32.exe <path and DLL malware file name>, APIName
Where APIName is the name of an API exported by the DLL.
For example,
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ndsas"
With data: "rundll32.exe "%AppData%\ndsas.dll", GetColumnInfo"
Payload
Downloads arbitrary files
Trojan:Win32/Medfos.W connects to various servers using HTTP via port 80. Once connected, it attempts to download arbitrary files. This trojan has been observed to connect to the following servers:
- 10.12.0.29
- 10.5.0.19
The sites were unavailable at the time of this writing.
Analysis by Jim Wang
Last update 19 December 2012
