Analysis by: Anthony Joe Melgarejo

ALIASES:

Trojan:Win32/Medfos.A (Microsoft), ZeroAccess-FBGQ!59E2B0F1EE77 (McAfee), Mal/Medfos-M, Mal/Medfos-M (Sophos), Trojan.Win32.Medfos.o (v) (Sunbelt), W32/Clicker.LOL!tr (Fortinet), Win32/Medfos.LV trojan (ESET), BScope.Trojan.Midhos.2812 (VBA32)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives as a file that exports the functions of other malware/grayware. It may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

  TECHNICAL DETAILS

File Size: 241,664 bytes
File Type: DLL
Memory Resident: Yes
Initial Samples Received Date: 14 Mar 2013

Arrival Details

This Trojan arrives as a file that exports the functions of other malware/grayware.

It may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan connects to the following malicious URLs:

  • http://{BLOCKED}.{BLOCKED}.131.158/upload/fid=BwCbAAEAUvu1BAEFBgAAAAAAAAAAAAAAAAAAAABJDQMNCwAAAInXHJjiEfOLrLhzgiZvmW-vnEBRAABVVVVVVVVVVVVVVVVVVVVVfyTOAcxLgmVS-7UEeGtxfHWCWGtxXFUGAQIDBAUGAQLOkSInG5fNBwAAAAAAAAQAAAAEAAAANFYA