Follow:

 

Trojan:JS/Medfos.B


Microsoft security software detects and removes this threat.

Trojan:JS/Medfos.B is a malicious JavaScript file that redirects search queries when you search online using AOL, Ask, Bing, Google or Yahoo.

The trojan is usually installed by Trojan:Win32/Medfos.B as a Google Chrome browser extension called "ChromeUpdateManager 1.0". It is a member of the Win32/Medfos family, a family of trojans that install malicious extensions for Internet browsers and redirect search engine results.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

In the wild , Trojan:JS/Medfos.B is usually dropped by Trojan:Win32/Medfos.B as "chromeupdate.crx" in the %LOCALAPPDATA% folder.

The file is a Google Chrome browser extension package that disguises itself as a legitimate Chrome extension. The package contains the file "manager.js", which is the malicious JavaScript file detected as Trojan:JS/Medfos.B.

We have observed the malware installed with the name "ChromeUpdateManager 1.0", as in the following image: 

Payload
Redirects search engine queries in Google Chrome

If you are using Google Chrome, the trojan redirects your browser if you attempt to either go to, or make a search using, the following search engines:

  • AOL
  • Ask
  • Bing
  • Google
  • Yahoo

This might result in you being directed to pay-per-click advertising websites such as the following:

  • chrome-bulletin.com
  • disable-instant-search.com/js/
  • thechromeweb.com
Additional information

We have observed the "chromeupdate.crxfile also being dropped in computers that do not have Google Chrome installed.

The trojan uses one of the following uniform resource identifier (URI) methods methods to perform its search-redirection payload:

  • <destination domain>/feed?type={type}&user-agent={user_agent}&ip={random IP}&ref={website search}&uu={data}
  • <destination domain>/disable.js?type={type}&user-agent={user_agent}&ip={random IP}&ref={website search}&uu={data}   
where the variables are as follows:
  • {type} can have the values "search", "empty", or "live"
  • {user_agent} can have the value "Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/534.30+(KHTML,+like+Gecko)+Chrome/12.0.742.112+Safari/534.30"
  • {randomg IP} is a randomly generated IP address    
  • {website search} is the search engine's search URL, for example "hxxp://www.google.com/search?q=<search terms>"
  • {data} is predefined encoded data, for example "uu=3j061XjheaBFxWLZnrapAWcOJh+7b8N/ujR9z+A4kupuz1AQITQYv1jszyYxApv4MrtMs/yGGF76gUMNzuram+FBaaDBmgItTbpr7P+Vxo+MwpMtr52/VVM1lHUx4tH4AIkStzW7KRgYAaJIEXVjALNXZGPfauHjTx6EeT/R5HU=" or "gsu=NfF7jSUpyKikVPAJ1aTUscKzW4w+umXZ+Juqtt/8L7lgqwReb6Jg73Io2UnBUzUKEzjaaRkSjrAWjqc9RwZBloxzJaMUUn0a"    

For example, the complete URI might look like the following:

hxxp://thechromeweb.com/feed?type=search&user-agent=Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/534.30+(KHTML,+like+Gecko)+Chrome/12.0.742.112+Safari/534.30&ip=84.30.155.70&ref=hxxp://www.google.com/search?q=&uu=3j061XjheaBFxWLZnrapAWcOJh+7b8N/ujR9z+A4kupuz1AQITQYv1jszyYxApv4MrtMs/yGGF76gUMNzuram+FBaaDBmgItTbpr7P+Vxo+MwpMtr52/VVM1lHUx4tH4AIkStzW7KRgYAaJIEXVjALNXZGPfauHjTx6EeT/R5HU=

Related encyclopedia entries

Trojan:Win32/Medfos.B

Win32/Medfos

Analysis by Ric Robielos


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the browser extension "ChromeUpdateManager 1.0" in Google Chrome
  • You are redirected to a website you did not intend to visit after performing an Internet search

Prevention


Alert level: Severe
First detected by definition: 1.137.635.0
Latest detected by definition: 1.145.1529.0 and higher
First detected on: Sep 28, 2012
This entry was first published on: Sep 28, 2012
This entry was updated on: Aug 15, 2013

This threat is also detected as:
No known aliases