Trojan:Win32/Medfos.A is a trojan that attempts to download arbitrary files from websites such as "greatfilehosting.com" and "midifilehosting.com".
This trojan may have file properties that disguise it as a legitimate program file from "Sun Microsystems, Inc" or "Creative Technology Ltd". When Trojan:Win32/Medfos.A executes, it drops copies of the trojan as a randomly named file, as in the following examples:
The registry is modified to run the trojan file at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
To data: "rundll32.exe <path and file name of malware>,<character string>"
The following are examples of the registry data modification:
Sets value: "vcken"
To data: "rundll32.exe "c:\documents and settings\administrator\local settings\temp\vcken.dll",loadbitmapresize"
Sets value: "dshchl"
To data: "rundll32.exe "c:\documents and settings\administrator\local settings\temp\dshchl.dll",createvolumetexturefromfileexa"
Sets value: "hlobt"
To data: "rundll32.exe "c:\docume~1\admini~1\locals~1\temp\hlobt.dll",quaternionsquadsetup"
Communicates with a remote host
Trojan:Win32/Medfos.A connects to various remote servers using HTTP protocol (port 80) and attempts to download arbitrary files. The trojan was observed to contact domains with the following suffixes:
At the time of this writing, the sites were unavailable for analysis.
Analysis by Hong Jia