Win32/Medfos [Threat Name] go to Threat

Win32/Medfos.E [Threat Variant Name]

Category trojan
Size 112128 B
Aliases Trojan:Win32/Medfos.A (Microsoft)
Short description

Win32/Medfos.E is a trojan which tries to download other malware from the Internet.


When executed, the trojan creates the following files:

  • %temp%\­%variable%.dll (112128 B, Win32/Medfos.E)

The file is then executed.

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "rundll32.exe "%temp%\­%variable%.dll", VecSaveMemory"

After the installation is complete, the trojan deletes the original executable file.

The trojan creates and runs a new thread with its own program code within the following processes:

  • iexplore.exe
  • firefox.exe
Other information

The trojan contains an URL address.

It tries to download a file from the address. The file is then executed.

It can send various information about the infected computer to an attacker. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.