TROJ_MEDFOS.BPX
Trojan:Win32/Medfos.A (Microsoft), ZeroAccess-FBGQ!59E2B0F1EE77 (McAfee), Mal/Medfos-M, Mal/Medfos-M (Sophos), Trojan.Win32.Medfos.o (v) (Sunbelt), W32/Clicker.LOL!tr (Fortinet), Win32/Medfos.LV trojan (ESET), BScope.Trojan.Midhos.2812 (VBA32)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives as a file that exports the functions of other malware/grayware. It may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives as a file that exports the functions of other malware/grayware.
It may arrive bundled with malware packages as a malware component.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Download Routine
This Trojan connects to the following malicious URLs:
- http://{BLOCKED}.{BLOCKED}.131.158/upload/fid=BwCbAAEAUvu1BAEFBgAAAAAAAAAAAAAAAAAAAABJDQMNCwAAAInXHJjiEfOLrLhzgiZvmW-vnEBRAABVVVVVVVVVVVVVVVVVVVVVfyTOAcxLgmVS-7UEeGtxfHWCWGtxXFUGAQIDBAUGAQLOkSInG5fNBwAAAAAAAAQAAAAEAAAANFYA