TROJ_MEDFOS.BXW
Win32/Medfos.NO trojan (ESET)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan may arrive bundled with malware packages as a malware component.
It requires its main component to successfully perform its intended routine.
TECHNICAL DETAILS
Arrival Details
This Trojan may arrive bundled with malware packages as a malware component.
Installation
This Trojan adds the following folders:
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\chrome
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\chrome\content
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It drops the following files:
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\chrome\content\browser.xul
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\chrome.manifest
- %User Profile%\Application Data\Mozilla\Firefox\Profiles\{random}.default\extensions\{69508f56-a393-11e2-8274-b8ac6f996f26}\install.rdf
- %Application Data%\69508f56-a393-11e2-8274-b8ac6f996f26.crx
- %Application Data%\Google\Chrome\Application\6.0.472.55\Extensions\69508f56-a393-11e2-8274-b8ac6f996f26.crx
- %Application Data%\Google\Chrome\Application\6.0.472.55\Extensions\cdjbnddbclciabnckgeahmneohjlahdm.json
- %Application Data%\Google\Chrome\Application\7.0.517.44\Extensions\69508f56-a393-11e2-8274-b8ac6f996f26.crx
- %Application Data%\Google\Chrome\Application\7.0.517.44\Extensions\cdjbnddbclciabnckgeahmneohjlahdm.json
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Other System Modifications
This Trojan adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion
{malware file name} = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm
path = "%User Profile%\Local Settings\Application Data\69508f56-a393-11e2-8274-b8ac6f996f26.crx"
HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm
version = "1.0"
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}dvertisingfeed.com
It requires its main component to successfully perform its intended routine.