Follow:

 

Trojan:JS/Medfos.A


Trojan:JS/Medfos.A is a malicious JavaScript that redirects search queries when you use search engines. It is installed as a malicious Mozilla Firefox extension.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

You can also remove the malicious add-on by following these instructions from Mozilla.

Threat behavior

Installation

Trojan:JS/Medfos.A is typically installed by Trojan:Win32/Medfos.B as a Mozilla Firefox extension. It is usually installed in the file "%LOCALAPPDATA%\(random CLSID)\chrome\content\browser.xul".

If this extension is installed, it may have use any of the following names:

Translate This! 2.0

Mozilla Safe Browsing 2.0.14

Mozilla Framework Assistant 3.0.1

Payload

Redirects Mozilla Firefox

When browsing using Mozilla Firefox, this malware may redirect you from the URL that you type in, if you are trying to visit the AOL, Ask, Bing, Google, or Yahoo websites. It may redirect you to websites such as the following:

  • advertisingnewper.com
  • advertisingpayclick2.com
  • advertisingpcc.com
  • clickperpaynow.com
  • disable-instant-search.com
  • feedclickonline.com
  • googleppcfeed.com
  • highfeedstream.com
  • livefeedstream.com
  • marketingppcfeed.com
  • masterppcadvertising.com
  • openclickonline24.com
  • payperclickdirect.com
  • payperclicksee.com
  • paytoperclick.com
  • payviaclick.com
  • perclick4advertising.com
  • perclickforppc.com
  • ppcadvertisingfeed.com
  • ppcclickfeed.com
  • ppcmyadvertising.com
  • ppcstream.com
  • theadvertising5new.com
  • theppcfeed.com

Analysis by Ricardo Robielos


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • If you have Mozilla Firefox installed in your computer, you may have any of the following extensions:

    Translate This! 2.0

    Mozilla Safe Browsing 2.0.14

    Mozilla Framework Assistant 3.0.1


Prevention


Alert level: Severe
First detected by definition: 1.123.1079.0
Latest detected by definition: 1.143.2119.0 and higher
First detected on: Apr 04, 2012
This entry was first published on: Apr 04, 2012
This entry was updated on: Feb 26, 2013

This threat is also detected as:
  • JS/Redirector.NIQ trojan (ESET)
  • Trojan.JS.Medfos (Ikarus)