is a trojan that attempts to download arbitrary files from websites such as "greatfilehosting.com" and "midifilehosting.com".
This trojan may have file properties that disguise it as a legitimate program file from "Sun Microsystems, Inc" or "Creative Technology Ltd". When Trojan:Win32/Medfos.A executes, it drops copies of the trojan as a randomly named file, as in the following examples:
The registry is modified to run the trojan file at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
To data: "rundll32.exe <path and file name of malware>,<character string>"
The following are examples of the registry data modification:
Sets value: "vcken"
To data: "rundll32.exe "c:\documents and settings\administrator\local settings\temp\vcken.dll",loadbitmapresize"
Sets value: "dshchl"
To data: "rundll32.exe "c:\documents and settings\administrator\local settings\temp\dshchl.dll",createvolumetexturefromfileexa"
Sets value: "hlobt"
To data: "rundll32.exe "c:\docume~1\admini~1\locals~1\temp\hlobt.dll",quaternionsquadsetup"
Communicates with a remote host
connects to various remote servers using HTTP protocol (port 80) and attempts to download arbitrary files. The trojan was observed to contact domains with the following suffixes:
At the time of this writing, the sites were unavailable for analysis.
Analysis by Hong Jia
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.