1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Mitglieder.CN

Mitglieder.CN

ALIAS:W32/Mitglieder.CN, W32/BagleDownloader.dr, W32/BagleDownloader
ALIAS:Email-Worm.Win32.Bagle.bq, Bagle.BQ

Summary

This Mitglieder variant appeared on June 26, 2005. The Mitglieder appears to have been seeded to many users.

Additional Details

The main dropper is a PE executable file 36864 bytes long. The dropped file is a DLL file, 9216 bytes long. Both the dropper and the DLL file are packed. NOTE: the dropped DLL is in fact named wiwshost.exe

Installation to system

When the Mitglieder is first run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.

The dropper/injector creates 2 startup keys and one status key for its file in Windows Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "winshost.exe" = "%system%\winshost.exe"


[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "winshost.exe" = "%system%\winshost.exe"
where "%system%" represents Windows System folder. Keys are created to ensure the downloader DLL is injected into Explorer next time the system restarts.

On its first run, a status key is created. If this is the very first run of the Mitglieder, it disguises by opening an empty MSPaint.

[HKCU\Software\FirstRun] "FirstRunRR" = SZ_DWORD 00000001


The downloader and its payload

WIWSHOST.EXE file has downloading functionality. It also has functionality that affects various Anti-Virus and Security software. When loaded, it may modify the HOSTS file. Then another piece of code responsible for disabling/altering services with the following names gets control:

wuauserv PAVSRV PAVFNSVR PSIMSVC Pavkre PavProt PREVSRV PavPrSrv SharedAccess navapsvc NPFMntor Outpost Firewall SAVScan SBService Symantec Core LC ccEvtMgr SNDSrvc ccPwdSvc ccSetMgr.exe SPBBCSvc KLBLMain avg7alrt avg7updsvc vsmon CAISafe avpcc fsbwsys backweb client - 4476822 backweb client-4476822 fsdfwd F-Secure Gatekeeper Handler Starter FSMA KAVMonitorService navapsvc NProtectService Norton Antivirus Server VexiraAntivirus dvpinit dvpapi schscnt BackWeb Client - 7681197 F-Secure Gatekeeper Handler Starter FSMA AVPCC KAVMonitorService Norman NJeeves NVCScheduler nvcoas Norman ZANDA PASSRV SweepNet SWEEPSRV.SYS NOD32ControlCenter NOD32Service PCCPFW Tmntsrv AvxIni XCOMM ravmon8 SmcService BlackICE PersFW McAfee Firewall OutpostFirewall NWService alerter sharedaccess NISUM NISSERV vsmon nwclnth nwclntg nwclnte nwclntf nwclntd nwclntc wuauserv navapsvc Symantec Core LC SAVScan kavsvc DefWatch Symantec AntiVirus Client NSCTOP Symantec Core LC SAVScan SAVFMSE ccEvtMgr navapsvc ccSetMgr VisNetic AntiVirus Plug-in McShield AlertManger McAfeeFramework AVExch32Service AVUPDService McTaskManager Network Associates Log Service Outbreak Manager MCVSRte mcupdmgr.exe AvgServ AvgCore AvgFsh awhost32 Ahnlab task Scheduler MonSvcNT V3MonNT V3MonSvc FSDFWD


The trojan starts a thread that deletes the values contained in the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client HKLM\SOFTWARE\Symantec HKLM\SOFTWARE\McAfee HKLM\SOFTWARE\KasperskyLab HKLM\SOFTWARE\Agnitum HKLM\SOFTWARE\Panda Software HKLM\SOFTWARE\Zone Labs
The trojan also starts a thread that scans all hard drives and deletes file with the following name:

mysuperprog.exe
The trojan stops services with the following names:

SharedAccess wscsvc
The trojan creates a thread that kills processes with the following names:

NUPGRADE.EXE MCUPDATE.EXE ATUPDATER.EXE AUPDATE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE FIREWALL.EXE ATUPDATER.EXE LUALL.EXE DRWEBUPW.EXE AUTODOWN.EXE NUPGRADE.EXE OUTPOST.EXE ICSSUPPNT.EXE ICSUPP95.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE UPGRADER.EXE AVXQUAR.EXE AVWUPD32.EXE AVPUPD.EXE CFIAUDIT.EXE UPDATE.EXE
Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as 'ile.exe' and is run. The trojan tries to download from the following hardcoded locations:

http://www.ya[BLOKED]nnick-spruyt.be/osa3.gif http://www.ya[BLOKED]yadownload.com/osa3.gif http://www.ye[BLOKED]sterdays.co.za/osa3.gif http://www.ye[BLOKED]sterdays.co.za/osa3.gif http://www.ys[BLOKED]hkj.com/osa3.gif http://www.ys[BLOKED]hkj.com/osa3.gif http://www.za[BLOKED]kazcd.dp.ua/osa3.gif http://www.st[BLOKED]udents.stir.ac.uk/osa3.gif http://www.ze[BLOKED]nesoftware.com/osa3.gif http://www.ze[BLOKED]ntek.co.za/osa3.gif http://www.cz[BLOKED]zm.com/osa3.gif http://www.iz[BLOKED]oli.sk/osa3.gif http://www.zo[BLOKED]rbas.az/osa3.gif http://www.zs[BLOKED]bersala.edu.sk/osa3.gif http://www.tr[BLOKED]iptonic.ch/osa3.gif http://www.tv[BLOKED]-marina.com/osa3.gif http://www.tr[BLOKED]avelourway.com/osa3.gif http://www.me[BLOKED]gaserve.net/osa3.gif http://www.tr[BLOKED]gd.dobrcz.pl/osa3.gif http://www.mi[BLOKED]ld.at/osa3.gif http://www.mi[BLOKED]ld.at/osa3.gif http://www.ki[BLOKED]ngsley.ch/osa3.gif http://www.mi[BLOKED]ld.at/osa3.gif http://www.el[BLOKED]vis-presley.ch/osa3.gif http://www.go[BLOKED]myhome.com.tw/osa3.gif http://www.id[BLOKED]er.cl/osa3.gif http://www.as[BLOKED]colfibras.com/osa3.gif http://www.on[BLOKED]24.ee/osa3.gif http://www.xo[BLOKED]jc.com/osa3.gif http://www.x-[BLOKED]treme.cz/osa3.gif http://www.gy[BLOKED]mzn.cz/osa3.gif http://www.gy[BLOKED]mzn.cz/osa3.gif http://www.gy[BLOKED]mzn.cz/osa3.gif http://www.xi[BLOKED]antong.net/osa3.gif http://www.xm[BLOKED]pie.com/osa3.gif http://www.xm[BLOKED]pie.com/osa3.gif http://www.xm[BLOKED]td.com/osa3.gif http://www.on[BLOKED]link.net/osa3.gif http://www.di[BLOKED]scoteka-funfactory.com/osa3.gif http://www.to[BLOKED]ussain.be/osa3.gif http://www.id[BLOKED]cs.be/osa3.gif http://www.ge[BLOKED]peters.org/osa3.gif http://www.an[BLOKED]gham.de/osa3.gif http://www.id[BLOKED]af.de/osa3.gif http://www.bo[BLOKED]lz.at/osa3.gif http://www.so[BLOKED]cietaet.de/osa3.gif http://www.pp[BLOKED]m-alliance.de/osa3.gif http://www.ud[BLOKED]c-cassinadepecchi.it/osa3.gif http://www.un[BLOKED]iverse.sk/osa3.gif http://www.ji[BLOKED]ngjuok.com/osa3.gif http://www.ge[BLOKED]mtrox.com.tw/osa3.gif http://www.us[BLOKED]powerchair.com/osa3.gif http://www.st[BLOKED]eripharm.com/osa3.gif http://www.be[BLOKED]all-cpa.com/osa3.gif http://www.jc[BLOKED]m-american.com/osa3.gif http://www.ve[BLOKED]rcruyssenelektro.be/osa3.gif http://www.ce[BLOKED]ntrovestecasa.it/osa3.gif http://www.ve[BLOKED]t24h.com/osa3.gif http://www.vi[BLOKED]nimeloni.com/osa3.gif http://www.vn[BLOKED]rvjiet.ac.in/osa3.gif http://www.vo[BLOKED]te2fateh.com/osa3.gif http://www.ma[BLOKED]rketvw.com/osa3.gif http://www.fo[BLOKED]rmholz.at/osa3.gif http://www.ch[BLOKED]eckonemedia.nl/osa3.gif http://www.fo[BLOKED]tomax.fi/osa3.gif http://www.vw[BLOKED].press-bank.pl/osa3.gif http://www.wa[BLOKED]mba.asn.au/osa3.gif http://www.cz[BLOKED]-wanjia.com/osa3.gif http://www.cz[BLOKED]wanqing.com/osa3.gif http://www.wd[BLOKED]lp.co.za/osa3.gif http://www.au[BLOKED]tomobilonline.de/osa3.gif http://www.ba[BLOKED]ngyan.cn/osa3.gif http://www.21[BLOKED]ebuild.com/osa3.gif http://www.ea[BLOKED]gle.com.cn/osa3.gif http://www.ea[BLOKED]gleclub.com.cn/osa3.gif http://www.ea[BLOKED]gleclub.com.cn/osa3.gif http://www.sa[BLOKED]njinyuan.com/osa3.gif http://www.de[BLOKED]signgong.org/osa3.gif http://www.fe[BLOKED]rmegaroy.com/osa3.gif http://www.we[BLOKED]lchcorp.com/osa3.gif http://www.sn[BLOKED]sphoto.com/osa3.gif http://www.so[BLOKED]eco.org/osa3.gif http://www.so[BLOKED]ftmajor.ru/osa3.gif http://www.so[BLOKED]lt3.org/osa3.gif http://www.sq[BLOKED]nsolutions.com/osa3.gif http://www.sp[BLOKED]acium.biz/osa3.gif http://www.sp[BLOKED]eedcom.home.pl/osa3.gif http://www.tr[BLOKED]ago.com.pt/osa3.gif http://www.sp[BLOKED]irit-in-steel.at/osa3.gif http://www.sp[BLOKED]y.az/osa3.gif http://www.st[BLOKED]-paulus-bonn.dehtdocs/osa3.gif http://www.st[BLOKED]bs.com.hk/osa3.gif http://www.ac[BLOKED]sohio.com/osa3.gif http://www.ol[BLOKED]va.com.pe/osa3.gif http://www.su[BLOKED]bsplanet.com/osa3.gif http://www.su[BLOKED]ngodbio.com/osa3.gif http://www.su[BLOKED]perbetcs.com/osa3.gif http://www.vn[BLOKED]n.vn/osa3.gif http://www.sy[BLOKED]dolo.com/osa3.gif http://www.sz[BLOKED]diheng.com/osa3.gif http://www.ag[BLOKED]ria.hu/osa3.gif http://www.ex[BLOKED]ternet.hu/osa3.gif http://www.ho[BLOKED]ndenservice.be/osa3.gif http://www.eh[BLOKED]c.hu/osa3.gif http://www.tc[BLOKED]icampus.net/osa3.gif http://www.co[BLOKED]ntentproject.com/osa3.gif http://www.fe[BLOKED]stivalteatrooccidente.com/osa3.gif http://www.te[BLOKED]chni.com.cn/osa3.gif http://www.fe[BLOKED]stivalteatrooccidente.com/osa3.gif http://www.th[BLOKED]aifast.com/osa3.gif http://www.th[BLOKED]aiventure.com/osa3.gif http://www.an[BLOKED]di.com.vn/osa3.gif http://www.re[BLOKED]playu.com/osa3.gif http://www.th[BLOKED]-mutan.com/osa3.gif http://www.th[BLOKED]etexasoutfitter.com/osa3.gif http://www.tm[BLOKED]hcsd1987.friko.pl/osa3.gif http://www.th[BLOKED]enextstep.tv/osa3.gif http://www.th[BLOKED]enextstep.tv/osa3.gif http://www.we[BLOKED]sartproductions.com/osa3.gif http://www.wi[BLOKED]lsonscountry.com/osa3.gif http://www.wi[BLOKED]ndstar.pl/osa3.gif http://www.wi[BLOKED]se-industries.com/osa3.gif http://www.wi[BLOKED]told.pl/osa3.gif http://www.wi[BLOKED]told.pl/osa3.gif http://www.51[BLOKED].net/osa3.gif http://www.sl[BLOKED]ovanet.sk/osa3.gif http://www.wo[BLOKED]mbband.com/osa3.gif http://www.da[BLOKED]tanet.huwww.datanet.hu/osa3.gif http://www.uw[BLOKED].hu/osa3.gif http://www.dg[BLOKED]y.com.cn/osa3.gif http://www.bs[BLOKED]-security.de/osa3.gif http://www.di[BLOKED]e-fliesen.de/osa3.gif http://www.do[BLOKED]m-invest.com.pl/osa3.gif http://www.en[BLOKED]gelhardtgmbh.de/osa3.gif http://www.tr[BLOKED]iapex.cz/osa3.gif http://www.fa[BLOKED]hrschule-herb.de/osa3.gif http://www.fa[BLOKED]hrschule-lesser.de/osa3.gif http://www.gi[BLOKED]mex-messzeuge.de/osa3.gif http://www.in[BLOKED]side-tgweb.de/osa3.gif http://www.ju[BLOKED]e-bo.com/osa3.gif http://www.ni[BLOKED]ko.de/osa3.gif http://www.ni[BLOKED]kogmbh.com/osa3.gif http://www.re[BLOKED]negaderc.com/osa3.gif http://www.sa[BLOKED]chsenbuecher.de/osa3.gif http://www.sc[BLOKED]vanravenswaaij.nl/osa3.gif http://www.sp[BLOKED]oden.de/osa3.gif http://www.sp[BLOKED]ortnf.com/osa3.gif http://www.sw[BLOKED]eb.cz/osa3.gif http://www.tg[BLOKED]-sandhausen-basketball.de/osa3.gif http://www.th[BLOKED]efunkiest.com/osa3.gif http://www.th[BLOKED]efunkiest.com/osa3.gif http://www.je[BLOKED]oushinn.com/osa3.gif http://www.pr[BLOKED]esley.ch/osa3.gif
NOTE: The list of URLs is intentinally modified. Please contact F-Secure with inquiries for the complete list.



Detection

F-Secure Anti-Virus detects both dropper and downloader with the following update:

[FSAV_Database_Version]
Version=2005-06-26_02

The other dropper variant is detected by the following update:

[FSAV_Database_Version]
Version=2005-06-26_02

Technical Details: Tzvetan Chaliavski, June 26, 2005;