TROJ_MEDFOS.BXW
Win32/Medfos.NO trojan (ESET)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan may arrive bundled with malware packages as a malware component.
It requires its main component to successfully perform its intended routine.
TECHNICAL DETAILS
761,856 bytes
DLL
16 Apr 2013
Arrival Details
This Trojan may arrive bundled with malware packages as a malware component.
Installation
This Trojan adds the following folders:
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\chrome
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\chrome\content
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It drops the following files:
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\chrome\content\browser.xul
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\chrome.manifest
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\install.rdf
- %Application Data%\69508f56-a393-11e2-8274-b8ac6f996f26.crx
- %Application Data%\Google\Chrome\Application\6.0.472.55\Extensions\69508f56-a393-11e2-8274-b8ac6f996f26.crx
- %Application Data%\Google\Chrome\Application\6.0.472.55\Extensions\cdjbnddbclciabnckgeahmneohjlahdm.json
- %Application Data%\Google\Chrome\Application\7.0.517.44\Extensions\69508f56-a393-11e2-8274-b8ac6f996f26.crx
- %Application Data%\Google\Chrome\Application\7.0.517.44\Extensions\cdjbnddbclciabnckgeahmneohjlahdm.json
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Other System Modifications
This Trojan adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion
{malware file name} = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm
path = "%User Profile%\Local Settings\Application Data\69508f56-a393-11e2-8274-b8ac6f996f26.crx"
HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm
version = "1.0"
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}dvertisingfeed.com
It requires its main component to successfully perform its intended routine.