Home / malware Trojan:JS/Medfos.A
First posted on 27 February 2013.
Source: MicrosoftAliases :
Trojan:JS/Medfos.A is also known as JS/Redirector.NIQ trojan (ESET), Trojan.JS.Medfos (Ikarus).
Explanation :
Installation
Trojan:JS/Medfos.A is typically installed by Trojan:Win32/Medfos.B as a Mozilla Firefox extension. It is usually installed in the file "%LOCALAPPDATA%\(random CLSID)\chrome\content\browser.xul".
If this extension is installed, it may have use any of the following names:
Translate This! 2.0
Mozilla Safe Browsing 2.0.14
Mozilla Framework Assistant 3.0.1
Payload
Redirects Mozilla Firefox
When browsing using Mozilla Firefox, this malware may redirect you from the URL that you type in, if you are trying to visit the AOL, Ask, Bing, Google, or Yahoo websites. It may redirect you to websites such as the following:
- advertisingnewper.com
- advertisingpayclick2.com
- advertisingpcc.com
- clickperpaynow.com
- disable-instant-search.com
- feedclickonline.com
- googleppcfeed.com
- highfeedstream.com
- livefeedstream.com
- marketingppcfeed.com
- masterppcadvertising.com
- openclickonline24.com
- payperclickdirect.com
- payperclicksee.com
- paytoperclick.com
- payviaclick.com
- perclick4advertising.com
- perclickforppc.com
- ppcadvertisingfeed.com
- ppcclickfeed.com
- ppcmyadvertising.com
- ppcstream.com
- theadvertising5new.com
- theppcfeed.com
Analysis by Ricardo Robielos
Last update 27 February 2013
