Follow:

You have been re-routed to the Trojan:Win32/Medfos.A write up because Trojan%3aWin32%2fMedfos.A has been renamed to Trojan:Win32/Medfos.A
 

Trojan:Win32/Medfos.A


Trojan:Win32/Medfos.A is a trojan that attempts to download arbitrary files from websites such as "greatfilehosting.com" and "midifilehosting.com".



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

 

Threat behavior

Trojan:Win32/Medfos.A is a trojan that attempts to download arbitrary files from websites such as "greatfilehosting.com" and "midifilehosting.com".

Installation

This trojan may have file properties that disguise it as a legitimate program file from "Sun Microsystems, Inc" or "Creative Technology Ltd". When Trojan:Win32/Medfos.A executes, it drops copies of the trojan as a randomly named file, as in the following examples:

  • %TEMP%\dshchl.dll
  • %TEMP%\vcken.dll
  • %TEMP%\hlobt.dll

The registry is modified to run the trojan file at each Windows start.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
To data: "rundll32.exe <path and file name of malware>,<character string>"

The following are examples of the registry data modification:

Sets value: "vcken"
To data: "rundll32.exe "c:\documents and settings\administrator\local settings\temp\vcken.dll",loadbitmapresize"

Sets value: "dshchl"
To data: "rundll32.exe "c:\documents and settings\administrator\local settings\temp\dshchl.dll",createvolumetexturefromfileexa"

Sets value: "hlobt"
To data: "rundll32.exe "c:\docume~1\admini~1\locals~1\temp\hlobt.dll",quaternionsquadsetup"

Payload

Communicates with a remote host

Trojan:Win32/Medfos.A connects to various remote servers using HTTP protocol (port 80) and attempts to download arbitrary files. The trojan was observed to contact domains with the following suffixes:

  • greatfilehosting.com
  • midifilehosting.com
  • filehostingdirect.net

At the time of this writing, the sites were unavailable for analysis.

Analysis by Hong Jia


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms. 

Prevention


Alert level: Severe
First detected by definition: 1.123.132.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 22, 2012
This entry was first published on: Mar 22, 2012
This entry was updated on: Apr 27, 2012

This threat is also detected as:
  • TR/Medfos.A.213 (Avira)
  • Trojan.Win32.Midhos.cn (Kaspersky)
  • Generic Downloader.nb (McAfee)
  • Mal/EncPk-ZC (Sophos)