Home / malware Trojan:Win32/Medfos.A
First posted on 28 April 2012.
Source: MicrosoftAliases :
Trojan:Win32/Medfos.A is also known as TR/Medfos.A.213 (Avira), Trojan.Win32.Midhos.cn (Kaspersky), Generic Downloader.nb (McAfee), Mal/EncPk-ZC (Sophos).
Explanation :
Trojan:Win32/Medfos.A is a trojan that attempts to download arbitrary files from websites such as "greatfilehosting.com" and "midifilehosting.com".
Top
Trojan:Win32/Medfos.A is a trojan that attempts to download arbitrary files from websites such as "greatfilehosting.com" and "midifilehosting.com".
Installation
This trojan may have file properties that disguise it as a legitimate program file from "Sun Microsystems, Inc" or "Creative Technology Ltd". When Trojan:Win32/Medfos.A executes, it drops copies of the trojan as a randomly named file, as in the following examples:
- %TEMP%\dshchl.dll
- %TEMP%\vcken.dll
- %TEMP%\hlobt.dll
The registry is modified to run the trojan file at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
To data: "rundll32.exe <path and file name of malware>,<character string>"
The following are examples of the registry data modification:
Sets value: "vcken"
To data: "rundll32.exe "c:\documents and settings\administrator\local settings\temp\vcken.dll",loadbitmapresize"
Sets value: "dshchl"
To data: "rundll32.exe "c:\documents and settings\administrator\local settings\temp\dshchl.dll",createvolumetexturefromfileexa"
Sets value: "hlobt"
To data: "rundll32.exe "c:\docume~1\admini~1\locals~1\temp\hlobt.dll",quaternionsquadsetup"
Payload
Communicates with a remote host
Trojan:Win32/Medfos.A connects to various remote servers using HTTP protocol (port 80) and attempts to download arbitrary files. The trojan was observed to contact domains with the following suffixes:
- greatfilehosting.com
- midifilehosting.com
- filehostingdirect.net
At the time of this writing, the sites were unavailable for analysis.
Analysis by Hong Jia
Last update 28 April 2012
