Win32/Medfos [Threat Name] go to Threat
Win32/Medfos.E [Threat Variant Name]
Category | trojan |
Size | 112128 B |
Aliases | Trojan:Win32/Medfos.A (Microsoft) |
Short description
Win32/Medfos.E is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan creates the following files:
- %temp%\%variable%.dll (112128 B, Win32/Medfos.E)
The file is then executed.
A string with variable content is used instead of %variable% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "rundll32.exe "%temp%\%variable%.dll", VecSaveMemory"
After the installation is complete, the trojan deletes the original executable file.
The trojan creates and runs a new thread with its own program code within the following processes:
- iexplore.exe
- firefox.exe
Other information
The trojan contains an URL address.
It tries to download a file from the address. The file is then executed.
It can send various information about the infected computer to an attacker. The HTTP protocol is used.