Home / malware Trojan:Win32/Mediyes.D
First posted on 29 May 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Mediyes.D.
Explanation :
Trojan:Win32/Mediyes.D is a DLL component of the Mediyes family, a multi-component family that steals your sensitive information from websites you visit.
Installation
Trojan:Win32/Mediyes.D may be dropped and installed in your computer by other members of the Mediyes family. It comunicates with other components via a Named Device Object called "\\.\pipe\WinSxp".
It runs when Internet Explorer and Firefox browsers are run.
Trojan:Win32/Mediyes.D may have the file name "<system folder>\d3dy<random characters>.dll" as it tries to pose as a legitimate Direct 3D library file.
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
For example:
- <system folder>\d3dye5xnv.dll
- <system folder>\d3dybnavy.dll
- <system folder>\d3dyyg81j.dll
- <system folder>\d3dyymlyn.dll
It installs itself as a namespace provider so that it loads every time the Winsock library is loaded.
Payload
Connects to a remote server
Trojan:Win32/Mediyes.D connects to the server found in "89.149.227.62" to do the following:
- Get configuration file
- Notify the server of its installation in your computer
- Download additional components
Steals sensitive information
Trojan:Win32/Mediyes.D monitors what websites are open in Internet Explorer, possibly to check if you have to enter any sensitive information on the sites. The information may then be stolen and sent to a remote attacker.
Analysis by Alden Pornasdoro
Last update 29 May 2012
