[thisisu]

http://www.microsoft.com/security/porta ... n32/Medfos

Some examples:

Code: Select all

HKU\Owner\...\Run: [AVG Secure Search] rundll32.exe "C:\Users\Owner\AppData\Local\Broadcom\AVG Secure Search\zjfdkvut.dll",fltInfoW [334848 2012-10-23] (Microsoft Corporation)

Code: Select all

O4 - HKCU..\Run: [Moss Bay Software] C:\Users\Owner\AppData\Local\Moss Bay Software\iidjqzga.dll (Dolby Technology)

Code: Select all

[2012/10/02 19:32:14 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\Owner\APPDATA\LOCAL\{6250848E-0CE9-11E2-8271-B8AC6F996F26}

Code: Select all

C:\Users\Owner\AppData\Local\{39D6B3A6-F2CF-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan cleaned by deleting - quarantined

[360Tencent]

http://blogs.technet.com/b/mmpc/archive ... earch.aspx

MSE detected as Trojan:Win32/Medfos.gen!A

medfos.zip

infected
(920.51 KiB) Downloaded 103 times

[Cody Johnston]

Another one pulled from a PC today.

VT: 27/44

https://www.virustotal.com/file/3b00d02 ... /analysis/

[thisisu]

http://www.microsoft.com/security/porta ... 2/Medfos.B

Going to try to add automated detection and removal for the browser.xul for my tool :)

Edit: It's added now

Code: Select all

Successfully deleted: [File] C:\Users\thisisu\appdata\local\{c9b68337-e93a-44ea-94dc-cb300ec06444}\chrome\content\browser.xul [Trojan:JS/Medfos.A]

[Win32:Virut]

33 Medfos Samples

I don't checked all samples, but the most of them should be Medfos.

[Win32:Virut]

4 Medfos Samples

[thisisu]

How can I detect this type of file using batch scripts?

uRun: [Microsoft Help] rundll32.exe "C:\Users\Owner\AppData\Local\VirtualStore\Microsoft Help\prljli.dll",DllRegisterServerW

From MS page (http://www.microsoft.com/security/porta ... tails_link)

In subkey: HKLM\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<name of DLL file>", for example "pcpat"
With data: "rundll32.exe <copied file>,<random export name>", for example "rundll32.exe pcpat.dll,AInputStream"

Alternate Input Stream? Is this not the same as ADS (Alternate Data Stream)?

Any additional info is appreciated.

[EP_X0FF]

In subkey: HKLM\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<name of DLL file>", for example "pcpat"
With data: "rundll32.exe <copied file>,<random export name>", for example "rundll32.exe pcpat.dll,AInputStream"

Alternate Input Stream? Is this not the same as ADS (Alternate Data Stream)?

Any additional info is appreciated.

http://msdn.microsoft.com/en-us/library ... s.80).aspx

[thisisu]

Cool ! :)

Code: Select all

Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file nkuim.dll

File Type: DLL

  Section contains the following exports for vtujmyl.dll

    00000000 characteristics
    46AB8200 time date stamp Sat Jul 28 12:50:56 2007
        0.00 version
           1 ordinal base
           5 number of functions
           5 number of names

    ordinal hint RVA      name

          4    0 000170CC ClearFreeList
          1    1 00017DAC State_Delete
          5    2 0001432C get_oFFs
          2    3 0000B258 get_progressive_ptr
          3    4 0000F488 set_write_status_fn

  Summary

       1B000 .data
       34000 .rdata
        2000 .reloc
        6000 .rsrc
       19000 .text

Where's the AInputStream information though?

[EP_X0FF]

It just export symbol name, it can be random and different in your case.