Home > Threat descriptions >

Mitglieder.CN

Classification

Category: Malware

Type: Trojan

Aliases: Mitglieder.CN, W32/Mitglieder.CN, W32/BagleDownloader.dr, W32/BagleDownloader, Email-Worm.Win32.Bagle.bq, Bagle.BQ

Summary


This Mitglieder variant appeared on June 26, 2005. The Mitglieder appears to have been seeded to many users.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The main dropper is a PE executable file 36864 bytes long. The dropped file is a DLL file, 9216 bytes long. Both the dropper and the DLL file are packed. NOTE: the dropped DLL is in fact named wiwshost.exe

Installation to system

When the Mitglieder is first run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.

The dropper/injector creates 2 startup keys and one status key for its file in Windows Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%system%\winshost.exe"
 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%system%\winshost.exe"
 

where "%system%" represents Windows System folder. Keys are created to ensure the downloader DLL is injected into Explorer next time the system restarts.

On its first run, a status key is created. If this is the very first run of the Mitglieder, it disguises by opening an empty MSPaint.

[HKCU\Software\FirstRun]
"FirstRunRR" = SZ_DWORD 00000001
 
The downloader and its payload

WIWSHOST.EXE file has downloading functionality. It also has functionality that affects various Anti-Virus and Security software. When loaded, it may modify the HOSTS file. Then another piece of code responsible for disabling/altering services with the following names gets control:

wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
PavProt
PREVSRV
PavPrSrv
SharedAccess
navapsvc
NPFMntor
Outpost Firewall
SAVScan
SBService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccPwdSvc
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backweb client - 4476822
backweb client-4476822
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
navapsvc
NProtectService
Norton Antivirus Server
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWeb Client - 7681197
F-Secure Gatekeeper Handler Starter
FSMA
AVPCC
KAVMonitorService
Norman NJeeves
NVCScheduler
nvcoas
Norman ZANDA
PASSRV
SweepNet
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfee Firewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
Symantec Core LC
SAVScan
kavsvc
DefWatch
Symantec AntiVirus Client
NSCTOP
Symantec Core LC
SAVScan
SAVFMSE
ccEvtMgr
navapsvc
ccSetMgr
VisNetic AntiVirus Plug-in
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
Network Associates Log Service
Outbreak Manager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
Ahnlab task Scheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD
 

The trojan starts a thread that deletes the values contained in the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Zone Labs
 

The trojan also starts a thread that scans all hard drives and deletes file with the following name:

mysuperprog.exe 			

The trojan stops services with the following names:

SharedAccess
wscsvc
 

The trojan creates a thread that kills processes with the following names:

NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
 

Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as 'ile.exe' and is run. The trojan tries to download from the following hardcoded locations:

https://www.ya[BLOCKED]nnick-spruyt.be/osa3.gif
http://www.ya[BLOCKED]yadownload.com/osa3.gif
http://www.ye[BLOCKED]sterdays.co.za/osa3.gif
http://www.ye[BLOCKED]sterdays.co.za/osa3.gif
http://www.ys[BLOCKED]hkj.com/osa3.gif
http://www.ys[BLOCKED]hkj.com/osa3.gif
http://www.za[BLOCKED]kazcd.dp.ua/osa3.gif
http://www.st[BLOCKED]udents.stir.ac.uk/osa3.gif
http://www.ze[BLOCKED]nesoftware.com/osa3.gif
http://www.ze[BLOCKED]ntek.co.za/osa3.gif
http://www.cz[BLOCKED]zm.com/osa3.gif
http://www.iz[BLOCKED]oli.sk/osa3.gif
http://www.zo[BLOCKED]rbas.az/osa3.gif
http://www.zs[BLOCKED]bersala.edu.sk/osa3.gif
http://www.tr[BLOCKED]iptonic.ch/osa3.gif
http://www.tv[BLOCKED]-marina.com/osa3.gif
http://www.tr[BLOCKED]avelourway.com/osa3.gif
http://www.me[BLOCKED]gaserve.net/osa3.gif
http://www.tr[BLOCKED]gd.dobrcz.pl/osa3.gif
http://www.mi[BLOCKED]ld.at/osa3.gif
http://www.mi[BLOCKED]ld.at/osa3.gif
http://www.ki[BLOCKED]ngsley.ch/osa3.gif
http://www.mi[BLOCKED]ld.at/osa3.gif
http://www.el[BLOCKED]vis-presley.ch/osa3.gif
http://www.go[BLOCKED]myhome.com.tw/osa3.gif
http://www.id[BLOCKED]er.cl/osa3.gif
http://www.as[BLOCKED]colfibras.com/osa3.gif
http://www.on[BLOCKED]24.ee/osa3.gif
http://www.xo[BLOCKED]jc.com/osa3.gif
http://www.x-[BLOCKED]treme.cz/osa3.gif
http://www.gy[BLOCKED]mzn.cz/osa3.gif
http://www.gy[BLOCKED]mzn.cz/osa3.gif
http://www.gy[BLOCKED]mzn.cz/osa3.gif
http://www.xi[BLOCKED]antong.net/osa3.gif
http://www.xm[BLOCKED]pie.com/osa3.gif
http://www.xm[BLOCKED]pie.com/osa3.gif
http://www.xm[BLOCKED]td.com/osa3.gif
http://www.on[BLOCKED]link.net/osa3.gif
http://www.di[BLOCKED]scoteka-funfactory.com/osa3.gif
http://www.to[BLOCKED]ussain.be/osa3.gif
http://www.id[BLOCKED]cs.be/osa3.gif
http://www.ge[BLOCKED]peters.org/osa3.gif
http://www.an[BLOCKED]gham.de/osa3.gif
http://www.id[BLOCKED]af.de/osa3.gif
http://www.bo[BLOCKED]lz.at/osa3.gif
http://www.so[BLOCKED]cietaet.de/osa3.gif
http://www.pp[BLOCKED]m-alliance.de/osa3.gif
http://www.ud[BLOCKED]c-cassinadepecchi.it/osa3.gif
http://www.un[BLOCKED]iverse.sk/osa3.gif
http://www.ji[BLOCKED]ngjuok.com/osa3.gif
http://www.ge[BLOCKED]mtrox.com.tw/osa3.gif
http://www.us[BLOCKED]powerchair.com/osa3.gif
http://www.st[BLOCKED]eripharm.com/osa3.gif
http://www.be[BLOCKED]all-cpa.com/osa3.gif
http://www.jc[BLOCKED]m-american.com/osa3.gif
http://www.ve[BLOCKED]rcruyssenelektro.be/osa3.gif
http://www.ce[BLOCKED]ntrovestecasa.it/osa3.gif
http://www.ve[BLOCKED]t24h.com/osa3.gif
http://www.vi[BLOCKED]nimeloni.com/osa3.gif
http://www.vn[BLOCKED]rvjiet.ac.in/osa3.gif
http://www.vo[BLOCKED]te2fateh.com/osa3.gif
http://www.ma[BLOCKED]rketvw.com/osa3.gif
http://www.fo[BLOCKED]rmholz.at/osa3.gif
http://www.ch[BLOCKED]eckonemedia.nl/osa3.gif
http://www.fo[BLOCKED]tomax.fi/osa3.gif
http://www.vw[BLOCKED].press-bank.pl/osa3.gif
http://www.wa[BLOCKED]mba.asn.au/osa3.gif
http://www.cz[BLOCKED]-wanjia.com/osa3.gif
http://www.cz[BLOCKED]wanqing.com/osa3.gif
http://www.wd[BLOCKED]lp.co.za/osa3.gif
http://www.au[BLOCKED]tomobilonline.de/osa3.gif
http://www.ba[BLOCKED]ngyan.cn/osa3.gif
http://www.21[BLOCKED]ebuild.com/osa3.gif
http://www.ea[BLOCKED]gle.com.cn/osa3.gif
http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif
http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif
http://www.sa[BLOCKED]njinyuan.com/osa3.gif
http://www.de[BLOCKED]signgong.org/osa3.gif
http://www.fe[BLOCKED]rmegaroy.com/osa3.gif
http://www.we[BLOCKED]lchcorp.com/osa3.gif
http://www.sn[BLOCKED]sphoto.com/osa3.gif
http://www.so[BLOCKED]eco.org/osa3.gif
http://www.so[BLOCKED]ftmajor.ru/osa3.gif
http://www.so[BLOCKED]lt3.org/osa3.gif
http://www.sq[BLOCKED]nsolutions.com/osa3.gif
http://www.sp[BLOCKED]acium.biz/osa3.gif
http://www.sp[BLOCKED]eedcom.home.pl/osa3.gif
http://www.tr[BLOCKED]ago.com.pt/osa3.gif
http://www.sp[BLOCKED]irit-in-steel.at/osa3.gif
http://www.sp[BLOCKED]y.az/osa3.gif
http://www.st[BLOCKED]-paulus-bonn.dehtdocs/osa3.gif
http://www.st[BLOCKED]bs.com.hk/osa3.gif
http://www.ac[BLOCKED]sohio.com/osa3.gif
http://www.ol[BLOCKED]va.com.pe/osa3.gif
http://www.su[BLOCKED]bsplanet.com/osa3.gif
http://www.su[BLOCKED]ngodbio.com/osa3.gif
http://www.su[BLOCKED]perbetcs.com/osa3.gif
http://www.vn[BLOCKED]n.vn/osa3.gif
http://www.sy[BLOCKED]dolo.com/osa3.gif
http://www.sz[BLOCKED]diheng.com/osa3.gif
http://www.ag[BLOCKED]ria.hu/osa3.gif
http://www.ex[BLOCKED]ternet.hu/osa3.gif
http://www.ho[BLOCKED]ndenservice.be/osa3.gif
http://www.eh[BLOCKED]c.hu/osa3.gif
http://www.tc[BLOCKED]icampus.net/osa3.gif
http://www.co[BLOCKED]ntentproject.com/osa3.gif
http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif
http://www.te[BLOCKED]chni.com.cn/osa3.gif
http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif
http://www.th[BLOCKED]aifast.com/osa3.gif
http://www.th[BLOCKED]aiventure.com/osa3.gif
http://www.an[BLOCKED]di.com.vn/osa3.gif
http://www.re[BLOCKED]playu.com/osa3.gif
http://www.th[BLOCKED]-mutan.com/osa3.gif
http://www.th[BLOCKED]etexasoutfitter.com/osa3.gif
http://www.tm[BLOCKED]hcsd1987.friko.pl/osa3.gif
http://www.th[BLOCKED]enextstep.tv/osa3.gif
http://www.th[BLOCKED]enextstep.tv/osa3.gif
http://www.we[BLOCKED]sartproductions.com/osa3.gif
http://www.wi[BLOCKED]lsonscountry.com/osa3.gif
http://www.wi[BLOCKED]ndstar.pl/osa3.gif
http://www.wi[BLOCKED]se-industries.com/osa3.gif
http://www.wi[BLOCKED]told.pl/osa3.gif
http://www.wi[BLOCKED]told.pl/osa3.gif
http://www.51[BLOCKED].net/osa3.gif
http://www.sl[BLOCKED]ovanet.sk/osa3.gif
http://www.wo[BLOCKED]mbband.com/osa3.gif
http://www.da[BLOCKED]tanet.huwww.datanet.hu/osa3.gif
http://www.uw[BLOCKED].hu/osa3.gif
http://www.dg[BLOCKED]y.com.cn/osa3.gif
http://www.bs[BLOCKED]-security.de/osa3.gif
http://www.di[BLOCKED]e-fliesen.de/osa3.gif
http://www.do[BLOCKED]m-invest.com.pl/osa3.gif
http://www.en[BLOCKED]gelhardtgmbh.de/osa3.gif
http://www.tr[BLOCKED]iapex.cz/osa3.gif
http://www.fa[BLOCKED]hrschule-herb.de/osa3.gif
http://www.fa[BLOCKED]hrschule-lesser.de/osa3.gif
http://www.gi[BLOCKED]mex-messzeuge.de/osa3.gif
http://www.in[BLOCKED]side-tgweb.de/osa3.gif
http://www.ju[BLOCKED]e-bo.com/osa3.gif
http://www.ni[BLOCKED]ko.de/osa3.gif
http://www.ni[BLOCKED]kogmbh.com/osa3.gif
http://www.re[BLOCKED]negaderc.com/osa3.gif
http://www.sa[BLOCKED]chsenbuecher.de/osa3.gif
http://www.sc[BLOCKED]vanravenswaaij.nl/osa3.gif
http://www.sp[BLOCKED]oden.de/osa3.gif
http://www.sp[BLOCKED]ortnf.com/osa3.gif
http://www.sw[BLOCKED]eb.cz/osa3.gif
http://www.tg[BLOCKED]-sandhausen-basketball.de/osa3.gif
http://www.th[BLOCKED]efunkiest.com/osa3.gif
http://www.th[BLOCKED]efunkiest.com/osa3.gif
http://www.je[BLOCKED]oushinn.com/osa3.gif
http://www.pr[BLOCKED]esley.ch/osa3.gif
 

NOTE: The list of URLs is intentinally modified. Please contact F-Secure with inquiries for the complete list.