Follow:

 

Trojan:Win32/Medfos.B


Trojan:Win32/Medfos.B is a trojan that redirects the web browsers Internet ExplorerMozilla Firefox or Google Chrome to other sites.

It is a member of the  Win32/Medfos family.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Trojan:Win32/Medfos.B is a trojan that redirects the web browsers Internet ExplorerMozilla Firefox or Google Chrome to other sites.

It is a member of the  Win32/Medfos family.

Installation

Trojan:Win32/Medfos.B is typically installed by variants of Win32/Medfos. and is present as a DLL file in the %TEMP% folder, for example "%TEMP%\btpse.dll".

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".

The system registry is modified to run the trojan at each Windows start via "rundll32.exe", for example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "btpse"
With data: "rundll32.exe "c:\docume~1\admini~1\locals~1\temp\btpse.dll",startcompressbuffer"

Payload

Redirects Internet Explorer

When browsing the web using Internet Explorer, the malware may redirect the entered website address or searched queries to certain pay-per-clickadvertising websites such as the following:

  • googleppcfeed.com
  • highfeedstream.com
  • livefeedstream.com
  • marketingppcfeed.com
  • payviaclick.com
  • ppcstream.com
  • theppcfeed.com

The trojan redirects search queries to another site using one of the following uniform resource identifier (URI) methods:

  • <destination domain>/feed?type=live&ua=MSIE
  • <destination domain>/feed?type=<website search>&ua=MSIE

Redirects Mozilla Firefox

When browsing the web using Mozilla Firefox, the malware may redirect the entered website address or searched queries to certain pay-per-click advertising websites such as the following:

  • googleppcfeed.com
  • highfeedstream.com
  • livefeedstream.com
  • marketingppcfeed.com
  • payviaclick.com
  • ppcstream.com
  • theppcfeed.com

To enable this redirection, Trojan:Win32/Medfos.B installs a Mozilla Firefox extension as the following:

  • %LOCALAPPDATA%\(random CLSID)\chrome\content\browser.xul - detected as Trojan:JS/Medfos.A

Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Local".

The extension is visible as a Mozilla Firefox add-on named "Translate This! 2.0", as shown below:

 The trojan redirects search queries to another site using the following URI method:

  • <destination domain>/feed.php?type={type}&ua=Firefox&ip={random IP}&ref={website search}&uu={data};

Redirects Google Chrome

When using Google Chrome, the trojan redirects your browser if you attempt to either go to, or make a search in, the following search engines:

  • AOL
  • Ask
  • Bing
  • Google
  • Yahoo

As a result of this action, the malware may redirect you to pay-per-click advertising websites such as the following:

  • chrome-bulletin.com
  • disable-instant-search.com/js/
  • thechromeweb.com

To enable this redirection, Trojan:Win32/Medfos.B drops the file "chromeupdate.crx" in the %LOCALAPPDATA% folder

The file is a Google Chrome browser extension package that disguises itself as a legitimate Chrome extension. The package contains the file "manager.js", which is the malicious JavaScript file detected as Trojan:JS/Medfos.B.

In the wild, we have observed the malware installed with the name "ChromeUpdateManager 1.0", as in the following image: 

Related encyclopedia entries

Trojan:JS/Medfos.A

Trojan:JS/Medfos.B

Win32/Medfos

Analysis by Ric Robielos


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • When entering search queries, you are redirected to one of the following pay-per-click sites:
     
    • chrome-bulletin.com
    • disable-instant-search.com/js/
    • googleppcfeed.com
    • highfeedstream.com
    • livefeedstream.com
    • marketingppcfeed.com
    • payviaclick.com
    • ppcstream.com
    • thechromeweb.com
    • theppcfeed.com
       
  •  The presence of the following browser extension in Mozilla Firefox:


     
  • The presence of the following browser extension in Google Chrome:
     

Prevention


Alert level: Severe
First detected by definition: 1.123.554.0
Latest detected by definition: 1.185.2069.0 and higher
First detected on: Mar 28, 2012
This entry was first published on: Mar 29, 2012
This entry was updated on: Oct 03, 2012

This threat is also detected as:
No known aliases