Follow:

 

Trojan:Win32/Medfos.X


Trojan:Win32/Medfos.X is a trojan that is used to drive Internet traffic to specific websites without your consent.

It retrieves information from a remote website, specifically search keywords, and websites to direct your computer to.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Trojan:Win32/Medfos.X is a trojan that is used to drive Internet traffic to specific websites without your consent.

It retrieves information from a remote website, specifically search keywords, and websites to direct your computer to (perform simulated clicks and access advertisements; this is a method often used to increase traffic to a specific website).

Installation

Trojan:Win32/Medfos.X can be dropped and executed other malware, or you may encounter it when you visit a compromised website.

It creates a registry key to ensure that it runs each time you start your computer:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file>" 
With data: " %AppData%\<malware file>.dll,<exported function> "

The malware file name and exported function may change; in the wild, we have observed Trojan:Win32/Medfos.X using the file name "prete", and any of the following exported functions:

  • FlagsFilename
  • GetFuncDesc
  • ImportWarning
  • RealAsDouble
  • write_row
Payload

Monitors Internet activity

It also hooks on the following API functions from processes like Internet Explorer to monitor your Internet activity.

  • CreateProcessAsUserW
  • CreateFileW
  • CreateProcessW
  • LoadLibraryW
  • WriteFile

Contacts remote hosts

Trojan:Win32/Medfos.X connects to various remote servers using HTTP protocol (port 80) and attempts to get information about search keywords to perform on search engines to influence its algorithm in ranking websites.

The trojan has been observed contacting domains with the following suffixes:

  • 11va1l4.<BLOCKED>4reporting<dot>com
  • 11va1n4<BLOCKED>online<dot>com
  • m<BLOCKED>reporter<dot>com

Analysis by Zarestel Ferrer


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modification:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<malware file>" 
    With data: " %AppData%\<malware file>.dll,<exported function> "

Prevention


Alert level: Severe
First detected by definition: 1.141.1241.0
Latest detected by definition: 1.199.2337.0 and higher
First detected on: Dec 06, 2012
This entry was first published on: Dec 06, 2012
This entry was updated on: Feb 01, 2013

This threat is also detected as:
No known aliases