Microsoft Corporation announces a new family of “Win32/Medfos” viruses, which last several months actively spreading around the world. The virus to infect the system normally uses the component of loader, which is distributed by several different methods. Thus, attackers often use compromised web-sites to redirect users to a page with exploits, as well as appeal to the owners of already deployed botnets and viruses onto previously compromised system.
Medfos bootable component is installed in the %AppData% folder and adds its entries in the registry to complicate its detection.
After the initial installation of the virus in the system, he download and install additional components with help of the server-command. The main objective of this component, as well as all of the virus as a whole, is to replace the search results on the Internet.
To perform its function Medfos is injected into the running browser processes, and can do so in various ways. Thus, the core module of the virus can be introduced into the process of Internet Explorer, which does not allow the user to identify malicious activity. In other browsers, for example, Mozilla Firefox, malware inserts its own plug-in, which at first glance looks legitimate and useful function.
If the user of an infected system requests a search on one of the popular search engines, command server receives the data, as the contents of the query, and use of the search engine. After that, the user’s system go to a URL address that sends the C&C server.
The notification from Microsoft can be found here.
– TR/Midhos (Avira);
– Trojan.Win32.Midhos (Kaspersky);
– Win32/Medfos (ESET);
– Medfos (McAfee);
– Trojan/Win32.Midhos (AhnLab);
– Trojan.Win32.Medfos (Ikarus).