Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Win32
  • Protection Added: 2012-08-25

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


  • Fortinet - W32/Medfos.BLA!tr
  • Avast  - Win32:Medfos
  • Microsoft - Trojan:Win32/Medfos.B
  • Trend  - TROJ_MEDFOS.SMJ

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

Medfos.t is Trojan that redirects the web browser to other websites.

Upon execution it connects to the below URL/IP through remote port 53

  • Ppcmya[Removed]
  • 85.17.[Removed].53

Upon execution the Trojan changes the browser related files in order to redirect the other sites

  • %Userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{GUID}.dat
  • %Userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{GUID}.dat
  • %Userprofile%\Local Settings\Application Data\{GUID}\chrome\content\browser.xul
  • %Userprofile%\Local Settings\Application Data\{GUID}\chrome.manifest
  • %Userprofile%\Local Settings\Application Data\{GUID}\install.rdf

When Trojan gets executed, the following folders added to the system

  • %Userprofile%\Local Settings\Application Data\{GUID}
  • %Userprofile%\Local Settings\Application Data\{GUID}\chrome
  • %Userprofile%\Local Settings\Application Data\{GUID}\chrome\content

When Trojan gets executed, the following registry entries have been added to the system.

  • HKU\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\dacet: "ODUuMTcuMTMyLjUzOwAA"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dacet: ""%WinDir%\system32\rundll32.exe"  "%UserProfile%\Desktop\dacet.dll" read_update_info"

The above mentioned registry ensures that, the Trojan registers itself with compromised system and executes itself upon every boot.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.