This Mitglieder variant appeared on June 26, 2005. The Mitglieder appears to have been seeded to many users.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The main dropper is a PE executable file 36864 bytes long. The dropped file is a DLL file, 9216 bytes long. Both the dropper and the DLL file are packed. NOTE: the dropped DLL is in fact named wiwshost.exe
When the Mitglieder is first run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.
The dropper/injector creates 2 startup keys and one status key for its file in Windows Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "winshost.exe" = "%system%\winshost.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "winshost.exe" = "%system%\winshost.exe"
where "%system%" represents Windows System folder. Keys are created to ensure the downloader DLL is injected into Explorer next time the system restarts.
On its first run, a status key is created. If this is the very first run of the Mitglieder, it disguises by opening an empty MSPaint.
[HKCU\Software\FirstRun] "FirstRunRR" = SZ_DWORD 00000001
WIWSHOST.EXE file has downloading functionality. It also has functionality that affects various Anti-Virus and Security software. When loaded, it may modify the HOSTS file. Then another piece of code responsible for disabling/altering services with the following names gets control:
wuauserv PAVSRV PAVFNSVR PSIMSVC Pavkre PavProt PREVSRV PavPrSrv SharedAccess navapsvc NPFMntor Outpost Firewall SAVScan SBService Symantec Core LC ccEvtMgr SNDSrvc ccPwdSvc ccSetMgr.exe SPBBCSvc KLBLMain avg7alrt avg7updsvc vsmon CAISafe avpcc fsbwsys backweb client - 4476822 backweb client-4476822 fsdfwd F-Secure Gatekeeper Handler Starter FSMA KAVMonitorService navapsvc NProtectService Norton Antivirus Server VexiraAntivirus dvpinit dvpapi schscnt BackWeb Client - 7681197 F-Secure Gatekeeper Handler Starter FSMA AVPCC KAVMonitorService Norman NJeeves NVCScheduler nvcoas Norman ZANDA PASSRV SweepNet SWEEPSRV.SYS NOD32ControlCenter NOD32Service PCCPFW Tmntsrv AvxIni XCOMM ravmon8 SmcService BlackICE PersFW McAfee Firewall OutpostFirewall NWService alerter sharedaccess NISUM NISSERV vsmon nwclnth nwclntg nwclnte nwclntf nwclntd nwclntc wuauserv navapsvc Symantec Core LC SAVScan kavsvc DefWatch Symantec AntiVirus Client NSCTOP Symantec Core LC SAVScan SAVFMSE ccEvtMgr navapsvc ccSetMgr VisNetic AntiVirus Plug-in McShield AlertManger McAfeeFramework AVExch32Service AVUPDService McTaskManager Network Associates Log Service Outbreak Manager MCVSRte mcupdmgr.exe AvgServ AvgCore AvgFsh awhost32 Ahnlab task Scheduler MonSvcNT V3MonNT V3MonSvc FSDFWD
The trojan starts a thread that deletes the values contained in the following registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client HKLM\SOFTWARE\Symantec HKLM\SOFTWARE\McAfee HKLM\SOFTWARE\KasperskyLab HKLM\SOFTWARE\Agnitum HKLM\SOFTWARE\Panda Software HKLM\SOFTWARE\Zone Labs
The trojan also starts a thread that scans all hard drives and deletes file with the following name:
mysuperprog.exe
The trojan stops services with the following names:
SharedAccess wscsvc
The trojan creates a thread that kills processes with the following names:
NUPGRADE.EXE MCUPDATE.EXE ATUPDATER.EXE AUPDATE.EXE AUTOTRACE.EXE AUTOUPDATE.EXE FIREWALL.EXE ATUPDATER.EXE LUALL.EXE DRWEBUPW.EXE AUTODOWN.EXE NUPGRADE.EXE OUTPOST.EXE ICSSUPPNT.EXE ICSUPP95.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE UPGRADER.EXE AVXQUAR.EXE AVWUPD32.EXE AVPUPD.EXE CFIAUDIT.EXE UPDATE.EXE
Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as 'ile.exe' and is run. The trojan tries to download from the following hardcoded locations:
https://www.ya[BLOCKED]nnick-spruyt.be/osa3.gif http://www.ya[BLOCKED]yadownload.com/osa3.gif http://www.ye[BLOCKED]sterdays.co.za/osa3.gif http://www.ye[BLOCKED]sterdays.co.za/osa3.gif http://www.ys[BLOCKED]hkj.com/osa3.gif http://www.ys[BLOCKED]hkj.com/osa3.gif http://www.za[BLOCKED]kazcd.dp.ua/osa3.gif http://www.st[BLOCKED]udents.stir.ac.uk/osa3.gif http://www.ze[BLOCKED]nesoftware.com/osa3.gif http://www.ze[BLOCKED]ntek.co.za/osa3.gif http://www.cz[BLOCKED]zm.com/osa3.gif http://www.iz[BLOCKED]oli.sk/osa3.gif http://www.zo[BLOCKED]rbas.az/osa3.gif http://www.zs[BLOCKED]bersala.edu.sk/osa3.gif http://www.tr[BLOCKED]iptonic.ch/osa3.gif http://www.tv[BLOCKED]-marina.com/osa3.gif http://www.tr[BLOCKED]avelourway.com/osa3.gif http://www.me[BLOCKED]gaserve.net/osa3.gif http://www.tr[BLOCKED]gd.dobrcz.pl/osa3.gif http://www.mi[BLOCKED]ld.at/osa3.gif http://www.mi[BLOCKED]ld.at/osa3.gif http://www.ki[BLOCKED]ngsley.ch/osa3.gif http://www.mi[BLOCKED]ld.at/osa3.gif http://www.el[BLOCKED]vis-presley.ch/osa3.gif http://www.go[BLOCKED]myhome.com.tw/osa3.gif http://www.id[BLOCKED]er.cl/osa3.gif http://www.as[BLOCKED]colfibras.com/osa3.gif http://www.on[BLOCKED]24.ee/osa3.gif http://www.xo[BLOCKED]jc.com/osa3.gif http://www.x-[BLOCKED]treme.cz/osa3.gif http://www.gy[BLOCKED]mzn.cz/osa3.gif http://www.gy[BLOCKED]mzn.cz/osa3.gif http://www.gy[BLOCKED]mzn.cz/osa3.gif http://www.xi[BLOCKED]antong.net/osa3.gif http://www.xm[BLOCKED]pie.com/osa3.gif http://www.xm[BLOCKED]pie.com/osa3.gif http://www.xm[BLOCKED]td.com/osa3.gif http://www.on[BLOCKED]link.net/osa3.gif http://www.di[BLOCKED]scoteka-funfactory.com/osa3.gif http://www.to[BLOCKED]ussain.be/osa3.gif http://www.id[BLOCKED]cs.be/osa3.gif http://www.ge[BLOCKED]peters.org/osa3.gif http://www.an[BLOCKED]gham.de/osa3.gif http://www.id[BLOCKED]af.de/osa3.gif http://www.bo[BLOCKED]lz.at/osa3.gif http://www.so[BLOCKED]cietaet.de/osa3.gif http://www.pp[BLOCKED]m-alliance.de/osa3.gif http://www.ud[BLOCKED]c-cassinadepecchi.it/osa3.gif http://www.un[BLOCKED]iverse.sk/osa3.gif http://www.ji[BLOCKED]ngjuok.com/osa3.gif http://www.ge[BLOCKED]mtrox.com.tw/osa3.gif http://www.us[BLOCKED]powerchair.com/osa3.gif http://www.st[BLOCKED]eripharm.com/osa3.gif http://www.be[BLOCKED]all-cpa.com/osa3.gif http://www.jc[BLOCKED]m-american.com/osa3.gif http://www.ve[BLOCKED]rcruyssenelektro.be/osa3.gif http://www.ce[BLOCKED]ntrovestecasa.it/osa3.gif http://www.ve[BLOCKED]t24h.com/osa3.gif http://www.vi[BLOCKED]nimeloni.com/osa3.gif http://www.vn[BLOCKED]rvjiet.ac.in/osa3.gif http://www.vo[BLOCKED]te2fateh.com/osa3.gif http://www.ma[BLOCKED]rketvw.com/osa3.gif http://www.fo[BLOCKED]rmholz.at/osa3.gif http://www.ch[BLOCKED]eckonemedia.nl/osa3.gif http://www.fo[BLOCKED]tomax.fi/osa3.gif http://www.vw[BLOCKED].press-bank.pl/osa3.gif http://www.wa[BLOCKED]mba.asn.au/osa3.gif http://www.cz[BLOCKED]-wanjia.com/osa3.gif http://www.cz[BLOCKED]wanqing.com/osa3.gif http://www.wd[BLOCKED]lp.co.za/osa3.gif http://www.au[BLOCKED]tomobilonline.de/osa3.gif http://www.ba[BLOCKED]ngyan.cn/osa3.gif http://www.21[BLOCKED]ebuild.com/osa3.gif http://www.ea[BLOCKED]gle.com.cn/osa3.gif http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif http://www.sa[BLOCKED]njinyuan.com/osa3.gif http://www.de[BLOCKED]signgong.org/osa3.gif http://www.fe[BLOCKED]rmegaroy.com/osa3.gif http://www.we[BLOCKED]lchcorp.com/osa3.gif http://www.sn[BLOCKED]sphoto.com/osa3.gif http://www.so[BLOCKED]eco.org/osa3.gif http://www.so[BLOCKED]ftmajor.ru/osa3.gif http://www.so[BLOCKED]lt3.org/osa3.gif http://www.sq[BLOCKED]nsolutions.com/osa3.gif http://www.sp[BLOCKED]acium.biz/osa3.gif http://www.sp[BLOCKED]eedcom.home.pl/osa3.gif http://www.tr[BLOCKED]ago.com.pt/osa3.gif http://www.sp[BLOCKED]irit-in-steel.at/osa3.gif http://www.sp[BLOCKED]y.az/osa3.gif http://www.st[BLOCKED]-paulus-bonn.dehtdocs/osa3.gif http://www.st[BLOCKED]bs.com.hk/osa3.gif http://www.ac[BLOCKED]sohio.com/osa3.gif http://www.ol[BLOCKED]va.com.pe/osa3.gif http://www.su[BLOCKED]bsplanet.com/osa3.gif http://www.su[BLOCKED]ngodbio.com/osa3.gif http://www.su[BLOCKED]perbetcs.com/osa3.gif http://www.vn[BLOCKED]n.vn/osa3.gif http://www.sy[BLOCKED]dolo.com/osa3.gif http://www.sz[BLOCKED]diheng.com/osa3.gif http://www.ag[BLOCKED]ria.hu/osa3.gif http://www.ex[BLOCKED]ternet.hu/osa3.gif http://www.ho[BLOCKED]ndenservice.be/osa3.gif http://www.eh[BLOCKED]c.hu/osa3.gif http://www.tc[BLOCKED]icampus.net/osa3.gif http://www.co[BLOCKED]ntentproject.com/osa3.gif http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif http://www.te[BLOCKED]chni.com.cn/osa3.gif http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif http://www.th[BLOCKED]aifast.com/osa3.gif http://www.th[BLOCKED]aiventure.com/osa3.gif http://www.an[BLOCKED]di.com.vn/osa3.gif http://www.re[BLOCKED]playu.com/osa3.gif http://www.th[BLOCKED]-mutan.com/osa3.gif http://www.th[BLOCKED]etexasoutfitter.com/osa3.gif http://www.tm[BLOCKED]hcsd1987.friko.pl/osa3.gif http://www.th[BLOCKED]enextstep.tv/osa3.gif http://www.th[BLOCKED]enextstep.tv/osa3.gif http://www.we[BLOCKED]sartproductions.com/osa3.gif http://www.wi[BLOCKED]lsonscountry.com/osa3.gif http://www.wi[BLOCKED]ndstar.pl/osa3.gif http://www.wi[BLOCKED]se-industries.com/osa3.gif http://www.wi[BLOCKED]told.pl/osa3.gif http://www.wi[BLOCKED]told.pl/osa3.gif http://www.51[BLOCKED].net/osa3.gif http://www.sl[BLOCKED]ovanet.sk/osa3.gif http://www.wo[BLOCKED]mbband.com/osa3.gif http://www.da[BLOCKED]tanet.huwww.datanet.hu/osa3.gif http://www.uw[BLOCKED].hu/osa3.gif http://www.dg[BLOCKED]y.com.cn/osa3.gif http://www.bs[BLOCKED]-security.de/osa3.gif http://www.di[BLOCKED]e-fliesen.de/osa3.gif http://www.do[BLOCKED]m-invest.com.pl/osa3.gif http://www.en[BLOCKED]gelhardtgmbh.de/osa3.gif http://www.tr[BLOCKED]iapex.cz/osa3.gif http://www.fa[BLOCKED]hrschule-herb.de/osa3.gif http://www.fa[BLOCKED]hrschule-lesser.de/osa3.gif http://www.gi[BLOCKED]mex-messzeuge.de/osa3.gif http://www.in[BLOCKED]side-tgweb.de/osa3.gif http://www.ju[BLOCKED]e-bo.com/osa3.gif http://www.ni[BLOCKED]ko.de/osa3.gif http://www.ni[BLOCKED]kogmbh.com/osa3.gif http://www.re[BLOCKED]negaderc.com/osa3.gif http://www.sa[BLOCKED]chsenbuecher.de/osa3.gif http://www.sc[BLOCKED]vanravenswaaij.nl/osa3.gif http://www.sp[BLOCKED]oden.de/osa3.gif http://www.sp[BLOCKED]ortnf.com/osa3.gif http://www.sw[BLOCKED]eb.cz/osa3.gif http://www.tg[BLOCKED]-sandhausen-basketball.de/osa3.gif http://www.th[BLOCKED]efunkiest.com/osa3.gif http://www.th[BLOCKED]efunkiest.com/osa3.gif http://www.je[BLOCKED]oushinn.com/osa3.gif http://www.pr[BLOCKED]esley.ch/osa3.gif
NOTE: The list of URLs is intentinally modified. Please contact F-Secure with inquiries for the complete list.