Threat Description

Mitglieder

Details

Category: Malware
Type: Trojan
Platform: W32
Aliases: Mitglieder, TrojanProxy.Win32.Mitglieder.c

Summary


Mitglieder is a trojan that functions as an e-mail relay. The trojan kills tasks of several programs and reports certain info to its creators. Bagle worm has the functionality to download and activate this trojan from a website.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


When run, the trojan installs itself to system. It copies its file as SYSTEM.EXE to Windows System directory and creates the following entry in the System Registry:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "ssgrate.exe" = "%winsysdir%\system.exe"   

where %winsysdir% is the name of Windows System directory.

The trojan also creates another entry in the Registry where it stores its internal variables.

Then the trojan starts a thread that accesses 15 different websites and opens a PHP page there with certain parameters. This way the trojan reports its ID, proxy port and IP of infected computers to its authors.

After that trojan starts a thread that terminates processes with the following names:

ATUPDATER.EXE  AVWUPD32.EXE  AVPUPD.EXE  LUALL.EXE  DRWEBUPW.EXE  ICSSUPPNT.EXE  ICSUPP95.EXE  UPDATE.EXE  NUPGRADE.EXE  ATUPDATER.EXE  AUPDATE.EXE  AUTODOWN.EXE  AUTOTRACE.EXE  AUTOUPDATE.EXE  AVXQUAR.EXE  CFIAUDIT.EXE  MCUPDATE.EXE  NUPGRADE.EXE   

The trojan has 3 links in its body that point to a data stealing trojan that is located on 3 different websites. This trojan is detected as 'Trojan.PSW.Ldpinch.as'. The infected files have been recently removed from those website already.

The trojan has a mail relay that functions on the certain port (in the sample we got the port number is 39999).



Detection


Detection for this trojan was was published on January 15th, 2004 in the following update:

Detection Type: PC
Database: 2004-01-15_01



Technical Details:Alexey Podrezov, January 19th, 2004


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More