Threat description


Category: Malware
Type: Trojan
Platform: W32


This Mitglieder variant appeared on June 26, 2005. The Mitglieder appears to have been seeded to many users.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The main dropper is a PE executable file 36864 bytes long. The dropped file is a DLL file, 9216 bytes long. Both the dropper and the DLL file are packed. NOTE: the dropped DLL is in fact named wiwshost.exe

Installation to system

When the Mitglieder is first run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.

The dropper/injector creates 2 startup keys and one status key for its file in Windows Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "winshost.exe" = "%system%\winshost.exe"   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "winshost.exe" = "%system%\winshost.exe"   

where "%system%" represents Windows System folder. Keys are created to ensure the downloader DLL is injected into Explorer next time the system restarts.

On its first run, a status key is created. If this is the very first run of the Mitglieder, it disguises by opening an empty MSPaint.

[HKCU\Software\FirstRun]  "FirstRunRR" = SZ_DWORD 00000001   
The downloader and its payload

WIWSHOST.EXE file has downloading functionality. It also has functionality that affects various Anti-Virus and Security software. When loaded, it may modify the HOSTS file. Then another piece of code responsible for disabling/altering services with the following names gets control:

wuauserv  PAVSRV  PAVFNSVR  PSIMSVC  Pavkre  PavProt  PREVSRV  PavPrSrv  SharedAccess  navapsvc  NPFMntor  Outpost Firewall  SAVScan  SBService  Symantec Core LC  ccEvtMgr  SNDSrvc  ccPwdSvc  ccSetMgr.exe  SPBBCSvc  KLBLMain  avg7alrt  avg7updsvc  vsmon  CAISafe  avpcc  fsbwsys  backweb client - 4476822  backweb client-4476822  fsdfwd  F-Secure Gatekeeper Handler Starter  FSMA  KAVMonitorService  navapsvc  NProtectService  Norton Antivirus Server  VexiraAntivirus  dvpinit  dvpapi  schscnt  BackWeb Client - 7681197  F-Secure Gatekeeper Handler Starter  FSMA  AVPCC  KAVMonitorService  Norman NJeeves  NVCScheduler  nvcoas  Norman ZANDA  PASSRV  SweepNet  SWEEPSRV.SYS  NOD32ControlCenter  NOD32Service  PCCPFW  Tmntsrv  AvxIni  XCOMM  ravmon8  SmcService  BlackICE  PersFW  McAfee Firewall  OutpostFirewall  NWService  alerter  sharedaccess  NISUM  NISSERV  vsmon  nwclnth  nwclntg  nwclnte  nwclntf  nwclntd  nwclntc  wuauserv  navapsvc  Symantec Core LC  SAVScan  kavsvc  DefWatch  Symantec AntiVirus Client  NSCTOP  Symantec Core LC  SAVScan  SAVFMSE  ccEvtMgr  navapsvc  ccSetMgr  VisNetic AntiVirus Plug-in  McShield  AlertManger  McAfeeFramework  AVExch32Service  AVUPDService  McTaskManager  Network Associates Log Service  Outbreak Manager  MCVSRte  mcupdmgr.exe  AvgServ  AvgCore  AvgFsh  awhost32  Ahnlab task Scheduler  MonSvcNT  V3MonNT  V3MonSvc  FSDFWD   

The trojan starts a thread that deletes the values contained in the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client  HKLM\SOFTWARE\Symantec  HKLM\SOFTWARE\McAfee  HKLM\SOFTWARE\KasperskyLab  HKLM\SOFTWARE\Agnitum  HKLM\SOFTWARE\Panda Software  HKLM\SOFTWARE\Zone Labs   

The trojan also starts a thread that scans all hard drives and deletes file with the following name:


The trojan stops services with the following names:

SharedAccess  wscsvc   

The trojan creates a thread that kills processes with the following names:


Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as 'ile.exe' and is run. The trojan tries to download from the following hardcoded locations:

https://www.ya[BLOCKED]  http://www.ya[BLOCKED][BLOCKED][BLOCKED]  http://www.ys[BLOCKED]  http://www.ys[BLOCKED][BLOCKED][BLOCKED]  http://www.ze[BLOCKED]  http://www.ze[BLOCKED][BLOCKED]  http://www.iz[BLOCKED]  http://www.zo[BLOCKED]  http://www.zs[BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.mi[BLOCKED]  http://www.mi[BLOCKED][BLOCKED]  http://www.mi[BLOCKED]  http://www.el[BLOCKED]  http://www.go[BLOCKED][BLOCKED][BLOCKED]  http://www.on[BLOCKED]  http://www.xo[BLOCKED]  http://www.x-[BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.xi[BLOCKED]  http://www.xm[BLOCKED]  http://www.xm[BLOCKED]  http://www.xm[BLOCKED]  http://www.on[BLOCKED]  http://www.di[BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.pp[BLOCKED]  http://www.ud[BLOCKED]  http://www.un[BLOCKED]  http://www.ji[BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.jc[BLOCKED][BLOCKED]  http://www.ce[BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.vo[BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.vw[BLOCKED]  http://www.wa[BLOCKED][BLOCKED][BLOCKED]  http://www.wd[BLOCKED][BLOCKED][BLOCKED]  http://www.21[BLOCKED]  http://www.ea[BLOCKED]  http://www.ea[BLOCKED]  http://www.ea[BLOCKED][BLOCKED][BLOCKED]  http://www.fe[BLOCKED]  http://www.we[BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.sq[BLOCKED]  http://www.sp[BLOCKED]  http://www.sp[BLOCKED][BLOCKED]  http://www.sp[BLOCKED]  http://www.sp[BLOCKED][BLOCKED]-paulus-bonn.dehtdocs/osa3.gif[BLOCKED][BLOCKED]  http://www.ol[BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.ex[BLOCKED]  http://www.ho[BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.fe[BLOCKED]  http://www.te[BLOCKED]  http://www.fe[BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.we[BLOCKED]  http://www.wi[BLOCKED]  http://www.wi[BLOCKED]  http://www.wi[BLOCKED]  http://www.wi[BLOCKED]  http://www.wi[BLOCKED]  http://www.51[BLOCKED].net/osa3.gif[BLOCKED]  http://www.wo[BLOCKED]  http://www.da[BLOCKED]  http://www.uw[BLOCKED].hu/osa3.gif  http://www.dg[BLOCKED][BLOCKED]  http://www.di[BLOCKED][BLOCKED]  http://www.en[BLOCKED][BLOCKED]  http://www.fa[BLOCKED]  http://www.fa[BLOCKED][BLOCKED][BLOCKED]  http://www.ju[BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED]  http://www.sp[BLOCKED]  http://www.sp[BLOCKED]  http://www.sw[BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED][BLOCKED]   

NOTE: The list of URLs is intentinally modified. Please contact F-Secure with inquiries for the complete list.


F-Secure Anti-Virus detects both dropper and downloader with the following update: Detection Type:PC

The other dropper variant is detected by the following update: Detection Type:PC

Technical Details: Tzvetan Chaliavski, June 26, 2005


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More