Trojan:JS/Medfos.B
is a malicious JavaScript file that redirects search queries when using websites such as AOL, Ask, Bing, Google and Yahoo.
The trojan is usually installed by Trojan:Win32/Medfos.B as a Google Chrome browser extension. It is a member of the Win32/Medfos family.
Installation
In the wild, Trojan:JS/Medfos.B is usually dropped by Trojan:Win32/Medfos.B as "chromeupdate.crx" in the %LOCALAPPDATA% folder.
Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Local".
The file is a Google Chrome browser extension package that disguises itself as a legitimate Chrome extension. The package contains the file "manager.js", which is the malicious JavaScript file detected as Trojan:JS/Medfos.B.
In the wild, we have observed the malware installed with the name "ChromeUpdateManager 1.0", as in the following image:
Payload
Redirects search engine queries in Google Chrome
When using Google Chrome, the trojan redirects your browser if you attempt to either go to, or make a search in, the following search engines:
-
AOL
-
Ask
-
Bing
-
Google
-
Yahoo
As a result of this action, the malware may redirect you to pay-per-click advertising websites such as the following:
-
chrome-bulletin.com
-
disable-instant-search.com/js/
-
thechromeweb.com
Additional information
We have observed the "chromeupdate.crx" file also being dropped in computers that do not have Google Chrome installed.
The trojan uses one of the following uniform resource identifier (URI) methods methods to perform its search-redirection payload:
-
<destination domain>/feed?type={type}&user-agent={user_agent}&ip={random IP}&ref={website search}&uu={data}
-
<destination domain>/disable.js?type={type}&user-agent={user_agent}&ip={random IP}&ref={website search}&uu={data}
where the variables in braces can be interpreted as follows:
- {type} can have the values "search", "empty", or "live"
- {user_agent} can have the value "Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/534.30+(KHTML,+like+Gecko)+Chrome/12.0.742.112+Safari/534.30"
- {randomg IP} is a randomly generated IP address
- {website search} is the search engine's search URL, for example "hxxp://www.google.com/search?q=<search terms>"
- {data} is predefined encoded data, for example "uu=3j061XjheaBFxWLZnrapAWcOJh+7b8N/ujR9z+A4kupuz1AQITQYv1jszyYxApv4MrtMs/yGGF76gUMNzuram+FBaaDBmgItTbpr7P+Vxo+MwpMtr52/VVM1lHUx4tH4AIkStzW7KRgYAaJIEXVjALNXZGPfauHjTx6EeT/R5HU=" or "gsu=NfF7jSUpyKikVPAJ1aTUscKzW4w+umXZ+Juqtt/8L7lgqwReb6Jg73Io2UnBUzUKEzjaaRkSjrAWjqc9RwZBloxzJaMUUn0a"
For example, the complete URI might look like the following:
hxxp://thechromeweb.com/feed?type=search&user-agent=Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/534.30+(KHTML,+like+Gecko)+Chrome/12.0.742.112+Safari/534.30&ip=84.30.155.70&ref=hxxp://www.google.com/search?q=&uu=3j061XjheaBFxWLZnrapAWcOJh+7b8N/ujR9z+A4kupuz1AQITQYv1jszyYxApv4MrtMs/yGGF76gUMNzuram+FBaaDBmgItTbpr7P+Vxo+MwpMtr52/VVM1lHUx4tH4AIkStzW7KRgYAaJIEXVjALNXZGPfauHjTx6EeT/R5HU=
Related encyclopedia entries
Trojan:Win32/Medfos.B
Win32/Medfos
Analysis by Ric Robielos
