Rootkit:W32/Mediyes is installed onto a system as part of the payload of a trojan-dropper identified as Trojan:W32/Mediyes (alias Trojan-Dropper.Win32.Mediye, Trojan.Mediyes).
The trojan-dropper was originally digitally signed with a certificate stolen from Swiss company Conpavi AG; the certificates used have since been revoked by the relevant certification authority.
As the file appears to be signed with a legitimate certificate, the dropper may be unwittingly manually executed by the user.
On execution, the dropper will install a file to the following locations:
- C:\WINDOWS\system32\d3dywd2ks.dll - 32-bit driver file detected as rootkit.mediyes.a
Note: Of two dropper samples analyzed, one variant will prompt the the user to reboot the machine, while the other is able to install the driver without requiring reboot.
The dropper makes a number of registry changes, and creates a mutex, then deletes itself from the system.
On reboot, the DLL file is injected in to a web browser process (Internet Explorer or Mozilla Firefox), where it will intercept requests sent to various search engines and redirect the requests to unsolicited sites.