Trojan:Win32/Medfos.B is a trojan that redirects the web browsers Internet Explorer, Mozilla Firefox or Google Chrome to other sites.
It is a member of the Win32/Medfos family.
Installation
Trojan:Win32/Medfos.B is typically installed by variants of Win32/Medfos. and is present as a DLL file in the %TEMP% folder, for example "%TEMP%\btpse.dll".
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".
The system registry is modified to run the trojan at each Windows start via "rundll32.exe", for example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "btpse"
With data: "rundll32.exe "c:\docume~1\admini~1\locals~1\temp\btpse.dll",startcompressbuffer"
Payload
Redirects Internet Explorer
When browsing the web using Internet Explorer, the malware may redirect the entered website address or searched queries to certain pay-per-clickadvertising websites such as the following:
- googleppcfeed.com
- highfeedstream.com
- livefeedstream.com
- marketingppcfeed.com
- payviaclick.com
- ppcstream.com
- theppcfeed.com
The trojan redirects search queries to another site using one of the following uniform resource identifier (URI) methods:
- <destination domain>/feed?type=live&ua=MSIE
- <destination domain>/feed?type=<website search>&ua=MSIE
Redirects Mozilla Firefox
When browsing the web using Mozilla Firefox, the malware may redirect the entered website address or searched queries to certain pay-per-click advertising websites such as the following:
- googleppcfeed.com
- highfeedstream.com
- livefeedstream.com
- marketingppcfeed.com
- payviaclick.com
- ppcstream.com
- theppcfeed.com
To enable this redirection, Trojan:Win32/Medfos.B installs a Mozilla Firefox extension as the following:
Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Local".
The extension is visible as a Mozilla Firefox add-on named "Translate This! 2.0", as shown below:
The trojan redirects search queries to another site using the following URI method:
- <destination domain>/feed.php?type={type}&ua=Firefox&ip={random IP}&ref={website search}&uu={data};
Redirects Google Chrome
When using Google Chrome, the trojan redirects your browser if you attempt to either go to, or make a search in, the following search engines:
- AOL
- Ask
- Bing
- Google
- Yahoo
As a result of this action, the malware may redirect you to pay-per-click advertising websites such as the following:
- chrome-bulletin.com
- disable-instant-search.com/js/
- thechromeweb.com
To enable this redirection, Trojan:Win32/Medfos.B drops the file "chromeupdate.crx" in the %LOCALAPPDATA% folder
The file is a Google Chrome browser extension package that disguises itself as a legitimate Chrome extension. The package contains the file "manager.js", which is the malicious JavaScript file detected as Trojan:JS/Medfos.B.
In the wild, we have observed the malware installed with the name "ChromeUpdateManager 1.0", as in the following image:
Related encyclopedia entries
Trojan:JS/Medfos.A
Trojan:JS/Medfos.B
Win32/Medfos
Analysis by Ric Robielos
