Installation
In the wild, Trojan:JS/Medfos.B is usually dropped by Trojan:Win32/Medfos.B as "chromeupdate.crx" in the %LOCALAPPDATA% folder.
The file is a Google Chrome browser extension package that disguises itself as a legitimate Chrome extension. The package contains the file "manager.js", which is the malicious JavaScript file detected as Trojan:JS/Medfos.B.
We have observed the malware installed with the name "ChromeUpdateManager 1.0", as in the following image:
Payload
Redirects search engine queries in Google Chrome
If you are using Google Chrome, the trojan redirects your browser if you attempt to either go to, or make a search using, the following search engines:
- AOL
- Ask
- Bing
- Google
- Yahoo
This might result in you being directed to pay-per-click advertising websites such as the following:
- chrome-bulletin.com
- disable-instant-search.com/js/
- thechromeweb.com
Additional information
We have observed the "chromeupdate.crx" file also being dropped in computers that do not have Google Chrome installed.
The trojan uses one of the following uniform resource identifier (URI) methods methods to perform its search-redirection payload:
- <destination domain>/feed?type={type}&user-agent={user_agent}&ip={random IP}&ref={website search}&uu={data}
- <destination domain>/disable.js?type={type}&user-agent={user_agent}&ip={random IP}&ref={website search}&uu={data}
where the variables are as follows:
- {type} can have the values "search", "empty", or "live"
- {user_agent} can have the value "Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/534.30+(KHTML,+like+Gecko)+Chrome/12.0.742.112+Safari/534.30"
- {randomg IP} is a randomly generated IP address
- {website search} is the search engine's search URL, for example "hxxp://www.google.com/search?q=<search terms>"
- {data} is predefined encoded data, for example "uu=3j061XjheaBFxWLZnrapAWcOJh+7b8N/ujR9z+A4kupuz1AQITQYv1jszyYxApv4MrtMs/yGGF76gUMNzuram+FBaaDBmgItTbpr7P+Vxo+MwpMtr52/VVM1lHUx4tH4AIkStzW7KRgYAaJIEXVjALNXZGPfauHjTx6EeT/R5HU=" or "gsu=NfF7jSUpyKikVPAJ1aTUscKzW4w+umXZ+Juqtt/8L7lgqwReb6Jg73Io2UnBUzUKEzjaaRkSjrAWjqc9RwZBloxzJaMUUn0a"
For example, the complete URI might look like the following:
hxxp://thechromeweb.com/feed?type=search&user-agent=Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/534.30+(KHTML,+like+Gecko)+Chrome/12.0.742.112+Safari/534.30&ip=84.30.155.70&ref=hxxp://www.google.com/search?q=&uu=3j061XjheaBFxWLZnrapAWcOJh+7b8N/ujR9z+A4kupuz1AQITQYv1jszyYxApv4MrtMs/yGGF76gUMNzuram+FBaaDBmgItTbpr7P+Vxo+MwpMtr52/VVM1lHUx4tH4AIkStzW7KRgYAaJIEXVjALNXZGPfauHjTx6EeT/R5HU=
Related encyclopedia entries
Trojan:Win32/Medfos.B
Win32/Medfos
Analysis by Ric Robielos