Threat Description

Mitglieder.CN

Details

Aliases: Mitglieder.CN, W32/Mitglieder.CN, W32/BagleDownloader.dr, W32/BagleDownloader, Email-Worm.Win32.Bagle.bq, Bagle.BQ
Category: Malware
Type: Trojan
Platform: W32

Summary



This Mitglieder variant appeared on June 26, 2005. The Mitglieder appears to have been seeded to many users.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The main dropper is a PE executable file 36864 bytes long. The dropped file is a DLL file, 9216 bytes long. Both the dropper and the DLL file are packed. NOTE: the dropped DLL is in fact named wiwshost.exe

Installation to system

When the Mitglieder is first run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.

The dropper/injector creates 2 startup keys and one status key for its file in Windows Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "winshost.exe" = "%system%\winshost.exe"
  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "winshost.exe" = "%system%\winshost.exe"
 

where "%system%" represents Windows System folder. Keys are created to ensure the downloader DLL is injected into Explorer next time the system restarts.

On its first run, a status key is created. If this is the very first run of the Mitglieder, it disguises by opening an empty MSPaint.

[HKCU\Software\FirstRun]
 "FirstRunRR" = SZ_DWORD 00000001
 

The downloader and its payload

WIWSHOST.EXE file has downloading functionality. It also has functionality that affects various Anti-Virus and Security software. When loaded, it may modify the HOSTS file. Then another piece of code responsible for disabling/altering services with the following names gets control:

wuauserv
 PAVSRV
 PAVFNSVR
 PSIMSVC
 Pavkre
 PavProt
 PREVSRV
 PavPrSrv
 SharedAccess
 navapsvc
 NPFMntor
 Outpost Firewall
 SAVScan
 SBService
 Symantec Core LC
 ccEvtMgr
 SNDSrvc
 ccPwdSvc
 ccSetMgr.exe
 SPBBCSvc
 KLBLMain
 avg7alrt
 avg7updsvc
 vsmon
 CAISafe
 avpcc
 fsbwsys
 backweb client - 4476822
 backweb client-4476822
 fsdfwd
 F-Secure Gatekeeper Handler Starter
 FSMA
 KAVMonitorService
 navapsvc
 NProtectService
 Norton Antivirus Server
 VexiraAntivirus
 dvpinit
 dvpapi
 schscnt
 BackWeb Client - 7681197
 F-Secure Gatekeeper Handler Starter
 FSMA
 AVPCC
 KAVMonitorService
 Norman NJeeves
 NVCScheduler
 nvcoas
 Norman ZANDA
 PASSRV
 SweepNet
 SWEEPSRV.SYS
 NOD32ControlCenter
 NOD32Service
 PCCPFW
 Tmntsrv
 AvxIni
 XCOMM
 ravmon8
 SmcService
 BlackICE
 PersFW
 McAfee Firewall
 OutpostFirewall
 NWService
 alerter
 sharedaccess
 NISUM
 NISSERV
 vsmon
 nwclnth
 nwclntg
 nwclnte
 nwclntf
 nwclntd
 nwclntc
 wuauserv
 navapsvc
 Symantec Core LC
 SAVScan
 kavsvc
 DefWatch
 Symantec AntiVirus Client
 NSCTOP
 Symantec Core LC
 SAVScan
 SAVFMSE
 ccEvtMgr
 navapsvc
 ccSetMgr
 VisNetic AntiVirus Plug-in
 McShield
 AlertManger
 McAfeeFramework
 AVExch32Service
 AVUPDService
 McTaskManager
 Network Associates Log Service
 Outbreak Manager
 MCVSRte
 mcupdmgr.exe
 AvgServ
 AvgCore
 AvgFsh
 awhost32
 Ahnlab task Scheduler
 MonSvcNT
 V3MonNT
 V3MonSvc
 FSDFWD
 

The trojan starts a thread that deletes the values contained in the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian
 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client
 HKLM\SOFTWARE\Symantec
 HKLM\SOFTWARE\McAfee
 HKLM\SOFTWARE\KasperskyLab
 HKLM\SOFTWARE\Agnitum
 HKLM\SOFTWARE\Panda Software
 HKLM\SOFTWARE\Zone Labs
 

The trojan also starts a thread that scans all hard drives and deletes file with the following name:

mysuperprog.exe
			

The trojan stops services with the following names:

SharedAccess
 wscsvc
 

The trojan creates a thread that kills processes with the following names:

NUPGRADE.EXE
 MCUPDATE.EXE
 ATUPDATER.EXE
 AUPDATE.EXE
 AUTOTRACE.EXE
 AUTOUPDATE.EXE
 FIREWALL.EXE
 ATUPDATER.EXE
 LUALL.EXE
 DRWEBUPW.EXE
 AUTODOWN.EXE
 NUPGRADE.EXE
 OUTPOST.EXE
 ICSSUPPNT.EXE
 ICSUPP95.EXE
 ESCANH95.EXE
 AVXQUAR.EXE
 ESCANHNT.EXE
 UPGRADER.EXE
 AVXQUAR.EXE
 AVWUPD32.EXE
 AVPUPD.EXE
 CFIAUDIT.EXE
 UPDATE.EXE
 

Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as 'ile.exe' and is run. The trojan tries to download from the following hardcoded locations:

http://www.ya[BLOCKED]nnick-spruyt.be/osa3.gif
 http://www.ya[BLOCKED]yadownload.com/osa3.gif
 http://www.ye[BLOCKED]sterdays.co.za/osa3.gif
 http://www.ye[BLOCKED]sterdays.co.za/osa3.gif
 http://www.ys[BLOCKED]hkj.com/osa3.gif
 http://www.ys[BLOCKED]hkj.com/osa3.gif
 http://www.za[BLOCKED]kazcd.dp.ua/osa3.gif
 http://www.st[BLOCKED]udents.stir.ac.uk/osa3.gif
 http://www.ze[BLOCKED]nesoftware.com/osa3.gif
 http://www.ze[BLOCKED]ntek.co.za/osa3.gif
 http://www.cz[BLOCKED]zm.com/osa3.gif
 http://www.iz[BLOCKED]oli.sk/osa3.gif
 http://www.zo[BLOCKED]rbas.az/osa3.gif
 http://www.zs[BLOCKED]bersala.edu.sk/osa3.gif
 http://www.tr[BLOCKED]iptonic.ch/osa3.gif
 http://www.tv[BLOCKED]-marina.com/osa3.gif
 http://www.tr[BLOCKED]avelourway.com/osa3.gif
 http://www.me[BLOCKED]gaserve.net/osa3.gif
 http://www.tr[BLOCKED]gd.dobrcz.pl/osa3.gif
 http://www.mi[BLOCKED]ld.at/osa3.gif
 http://www.mi[BLOCKED]ld.at/osa3.gif
 http://www.ki[BLOCKED]ngsley.ch/osa3.gif
 http://www.mi[BLOCKED]ld.at/osa3.gif
 http://www.el[BLOCKED]vis-presley.ch/osa3.gif
 http://www.go[BLOCKED]myhome.com.tw/osa3.gif
 http://www.id[BLOCKED]er.cl/osa3.gif
 http://www.as[BLOCKED]colfibras.com/osa3.gif
 http://www.on[BLOCKED]24.ee/osa3.gif
 http://www.xo[BLOCKED]jc.com/osa3.gif
 http://www.x-[BLOCKED]treme.cz/osa3.gif
 http://www.gy[BLOCKED]mzn.cz/osa3.gif
 http://www.gy[BLOCKED]mzn.cz/osa3.gif
 http://www.gy[BLOCKED]mzn.cz/osa3.gif
 http://www.xi[BLOCKED]antong.net/osa3.gif
 http://www.xm[BLOCKED]pie.com/osa3.gif
 http://www.xm[BLOCKED]pie.com/osa3.gif
 http://www.xm[BLOCKED]td.com/osa3.gif
 http://www.on[BLOCKED]link.net/osa3.gif
 http://www.di[BLOCKED]scoteka-funfactory.com/osa3.gif
 http://www.to[BLOCKED]ussain.be/osa3.gif
 http://www.id[BLOCKED]cs.be/osa3.gif
 http://www.ge[BLOCKED]peters.org/osa3.gif
 http://www.an[BLOCKED]gham.de/osa3.gif
 http://www.id[BLOCKED]af.de/osa3.gif
 http://www.bo[BLOCKED]lz.at/osa3.gif
 http://www.so[BLOCKED]cietaet.de/osa3.gif
 http://www.pp[BLOCKED]m-alliance.de/osa3.gif
 http://www.ud[BLOCKED]c-cassinadepecchi.it/osa3.gif
 http://www.un[BLOCKED]iverse.sk/osa3.gif
 http://www.ji[BLOCKED]ngjuok.com/osa3.gif
 http://www.ge[BLOCKED]mtrox.com.tw/osa3.gif
 http://www.us[BLOCKED]powerchair.com/osa3.gif
 http://www.st[BLOCKED]eripharm.com/osa3.gif
 http://www.be[BLOCKED]all-cpa.com/osa3.gif
 http://www.jc[BLOCKED]m-american.com/osa3.gif
 http://www.ve[BLOCKED]rcruyssenelektro.be/osa3.gif
 http://www.ce[BLOCKED]ntrovestecasa.it/osa3.gif
 http://www.ve[BLOCKED]t24h.com/osa3.gif
 http://www.vi[BLOCKED]nimeloni.com/osa3.gif
 http://www.vn[BLOCKED]rvjiet.ac.in/osa3.gif
 http://www.vo[BLOCKED]te2fateh.com/osa3.gif
 http://www.ma[BLOCKED]rketvw.com/osa3.gif
 http://www.fo[BLOCKED]rmholz.at/osa3.gif
 http://www.ch[BLOCKED]eckonemedia.nl/osa3.gif
 http://www.fo[BLOCKED]tomax.fi/osa3.gif
 http://www.vw[BLOCKED].press-bank.pl/osa3.gif
 http://www.wa[BLOCKED]mba.asn.au/osa3.gif
 http://www.cz[BLOCKED]-wanjia.com/osa3.gif
 http://www.cz[BLOCKED]wanqing.com/osa3.gif
 http://www.wd[BLOCKED]lp.co.za/osa3.gif
 http://www.au[BLOCKED]tomobilonline.de/osa3.gif
 http://www.ba[BLOCKED]ngyan.cn/osa3.gif
 http://www.21[BLOCKED]ebuild.com/osa3.gif
 http://www.ea[BLOCKED]gle.com.cn/osa3.gif
 http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif
 http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif
 http://www.sa[BLOCKED]njinyuan.com/osa3.gif
 http://www.de[BLOCKED]signgong.org/osa3.gif
 http://www.fe[BLOCKED]rmegaroy.com/osa3.gif
 http://www.we[BLOCKED]lchcorp.com/osa3.gif
 http://www.sn[BLOCKED]sphoto.com/osa3.gif
 http://www.so[BLOCKED]eco.org/osa3.gif
 http://www.so[BLOCKED]ftmajor.ru/osa3.gif
 http://www.so[BLOCKED]lt3.org/osa3.gif
 http://www.sq[BLOCKED]nsolutions.com/osa3.gif
 http://www.sp[BLOCKED]acium.biz/osa3.gif
 http://www.sp[BLOCKED]eedcom.home.pl/osa3.gif
 http://www.tr[BLOCKED]ago.com.pt/osa3.gif
 http://www.sp[BLOCKED]irit-in-steel.at/osa3.gif
 http://www.sp[BLOCKED]y.az/osa3.gif
 http://www.st[BLOCKED]-paulus-bonn.dehtdocs/osa3.gif
 http://www.st[BLOCKED]bs.com.hk/osa3.gif
 http://www.ac[BLOCKED]sohio.com/osa3.gif
 http://www.ol[BLOCKED]va.com.pe/osa3.gif
 http://www.su[BLOCKED]bsplanet.com/osa3.gif
 http://www.su[BLOCKED]ngodbio.com/osa3.gif
 http://www.su[BLOCKED]perbetcs.com/osa3.gif
 http://www.vn[BLOCKED]n.vn/osa3.gif
 http://www.sy[BLOCKED]dolo.com/osa3.gif
 http://www.sz[BLOCKED]diheng.com/osa3.gif
 http://www.ag[BLOCKED]ria.hu/osa3.gif
 http://www.ex[BLOCKED]ternet.hu/osa3.gif
 http://www.ho[BLOCKED]ndenservice.be/osa3.gif
 http://www.eh[BLOCKED]c.hu/osa3.gif
 http://www.tc[BLOCKED]icampus.net/osa3.gif
 http://www.co[BLOCKED]ntentproject.com/osa3.gif
 http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif
 http://www.te[BLOCKED]chni.com.cn/osa3.gif
 http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif
 http://www.th[BLOCKED]aifast.com/osa3.gif
 http://www.th[BLOCKED]aiventure.com/osa3.gif
 http://www.an[BLOCKED]di.com.vn/osa3.gif
 http://www.re[BLOCKED]playu.com/osa3.gif
 http://www.th[BLOCKED]-mutan.com/osa3.gif
 http://www.th[BLOCKED]etexasoutfitter.com/osa3.gif
 http://www.tm[BLOCKED]hcsd1987.friko.pl/osa3.gif
 http://www.th[BLOCKED]enextstep.tv/osa3.gif
 http://www.th[BLOCKED]enextstep.tv/osa3.gif
 http://www.we[BLOCKED]sartproductions.com/osa3.gif
 http://www.wi[BLOCKED]lsonscountry.com/osa3.gif
 http://www.wi[BLOCKED]ndstar.pl/osa3.gif
 http://www.wi[BLOCKED]se-industries.com/osa3.gif
 http://www.wi[BLOCKED]told.pl/osa3.gif
 http://www.wi[BLOCKED]told.pl/osa3.gif
 http://www.51[BLOCKED].net/osa3.gif
 http://www.sl[BLOCKED]ovanet.sk/osa3.gif
 http://www.wo[BLOCKED]mbband.com/osa3.gif
 http://www.da[BLOCKED]tanet.huwww.datanet.hu/osa3.gif
 http://www.uw[BLOCKED].hu/osa3.gif
 http://www.dg[BLOCKED]y.com.cn/osa3.gif
 http://www.bs[BLOCKED]-security.de/osa3.gif
 http://www.di[BLOCKED]e-fliesen.de/osa3.gif
 http://www.do[BLOCKED]m-invest.com.pl/osa3.gif
 http://www.en[BLOCKED]gelhardtgmbh.de/osa3.gif
 http://www.tr[BLOCKED]iapex.cz/osa3.gif
 http://www.fa[BLOCKED]hrschule-herb.de/osa3.gif
 http://www.fa[BLOCKED]hrschule-lesser.de/osa3.gif
 http://www.gi[BLOCKED]mex-messzeuge.de/osa3.gif
 http://www.in[BLOCKED]side-tgweb.de/osa3.gif
 http://www.ju[BLOCKED]e-bo.com/osa3.gif
 http://www.ni[BLOCKED]ko.de/osa3.gif
 http://www.ni[BLOCKED]kogmbh.com/osa3.gif
 http://www.re[BLOCKED]negaderc.com/osa3.gif
 http://www.sa[BLOCKED]chsenbuecher.de/osa3.gif
 http://www.sc[BLOCKED]vanravenswaaij.nl/osa3.gif
 http://www.sp[BLOCKED]oden.de/osa3.gif
 http://www.sp[BLOCKED]ortnf.com/osa3.gif
 http://www.sw[BLOCKED]eb.cz/osa3.gif
 http://www.tg[BLOCKED]-sandhausen-basketball.de/osa3.gif
 http://www.th[BLOCKED]efunkiest.com/osa3.gif
 http://www.th[BLOCKED]efunkiest.com/osa3.gif
 http://www.je[BLOCKED]oushinn.com/osa3.gif
 http://www.pr[BLOCKED]esley.ch/osa3.gif
 

NOTE: The list of URLs is intentinally modified. Please contact F-Secure with inquiries for the complete list.



Detection


F-Secure Anti-Virus detects both dropper and downloader with the following update:
Detection Type: PC
Database: 2005-06-26_02

The other dropper variant is detected by the following update:
Detection Type: PC
Database: 2005-06-26_02



Technical Details: Tzvetan Chaliavski, June 26, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More