Mitglieder.CN

Threat description

Details

CATEGORYMalware
TYPETrojan

Summary

This Mitglieder variant appeared on June 26, 2005. The Mitglieder appears to have been seeded to many users.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The main dropper is a PE executable file 36864 bytes long. The dropped file is a DLL file, 9216 bytes long. Both the dropper and the DLL file are packed. NOTE: the dropped DLL is in fact named wiwshost.exe

Installation to system

When the Mitglieder is first run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.

The dropper/injector creates 2 startup keys and one status key for its file in Windows Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%system%\winshost.exe"
 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winshost.exe" = "%system%\winshost.exe"
 

where "%system%" represents Windows System folder. Keys are created to ensure the downloader DLL is injected into Explorer next time the system restarts.

On its first run, a status key is created. If this is the very first run of the Mitglieder, it disguises by opening an empty MSPaint.

[HKCU\Software\FirstRun]
"FirstRunRR" = SZ_DWORD 00000001
 
The downloader and its payload

WIWSHOST.EXE file has downloading functionality. It also has functionality that affects various Anti-Virus and Security software. When loaded, it may modify the HOSTS file. Then another piece of code responsible for disabling/altering services with the following names gets control:

wuauserv
PAVSRV
PAVFNSVR
PSIMSVC
Pavkre
PavProt
PREVSRV
PavPrSrv
SharedAccess
navapsvc
NPFMntor
Outpost Firewall
SAVScan
SBService
Symantec Core LC
ccEvtMgr
SNDSrvc
ccPwdSvc
ccSetMgr.exe
SPBBCSvc
KLBLMain
avg7alrt
avg7updsvc
vsmon
CAISafe
avpcc
fsbwsys
backweb client - 4476822
backweb client-4476822
fsdfwd
F-Secure Gatekeeper Handler Starter
FSMA
KAVMonitorService
navapsvc
NProtectService
Norton Antivirus Server
VexiraAntivirus
dvpinit
dvpapi
schscnt
BackWeb Client - 7681197
F-Secure Gatekeeper Handler Starter
FSMA
AVPCC
KAVMonitorService
Norman NJeeves
NVCScheduler
nvcoas
Norman ZANDA
PASSRV
SweepNet
SWEEPSRV.SYS
NOD32ControlCenter
NOD32Service
PCCPFW
Tmntsrv
AvxIni
XCOMM
ravmon8
SmcService
BlackICE
PersFW
McAfee Firewall
OutpostFirewall
NWService
alerter
sharedaccess
NISUM
NISSERV
vsmon
nwclnth
nwclntg
nwclnte
nwclntf
nwclntd
nwclntc
wuauserv
navapsvc
Symantec Core LC
SAVScan
kavsvc
DefWatch
Symantec AntiVirus Client
NSCTOP
Symantec Core LC
SAVScan
SAVFMSE
ccEvtMgr
navapsvc
ccSetMgr
VisNetic AntiVirus Plug-in
McShield
AlertManger
McAfeeFramework
AVExch32Service
AVUPDService
McTaskManager
Network Associates Log Service
Outbreak Manager
MCVSRte
mcupdmgr.exe
AvgServ
AvgCore
AvgFsh
awhost32
Ahnlab task Scheduler
MonSvcNT
V3MonNT
V3MonSvc
FSDFWD
 

The trojan starts a thread that deletes the values contained in the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Zone Labs
 

The trojan also starts a thread that scans all hard drives and deletes file with the following name:

mysuperprog.exe 			

The trojan stops services with the following names:

SharedAccess
wscsvc
 

The trojan creates a thread that kills processes with the following names:

NUPGRADE.EXE
MCUPDATE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
UPGRADER.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
 

Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as 'ile.exe' and is run. The trojan tries to download from the following hardcoded locations:

https://www.ya[BLOCKED]nnick-spruyt.be/osa3.gif
http://www.ya[BLOCKED]yadownload.com/osa3.gif
http://www.ye[BLOCKED]sterdays.co.za/osa3.gif
http://www.ye[BLOCKED]sterdays.co.za/osa3.gif
http://www.ys[BLOCKED]hkj.com/osa3.gif
http://www.ys[BLOCKED]hkj.com/osa3.gif
http://www.za[BLOCKED]kazcd.dp.ua/osa3.gif
http://www.st[BLOCKED]udents.stir.ac.uk/osa3.gif
http://www.ze[BLOCKED]nesoftware.com/osa3.gif
http://www.ze[BLOCKED]ntek.co.za/osa3.gif
http://www.cz[BLOCKED]zm.com/osa3.gif
http://www.iz[BLOCKED]oli.sk/osa3.gif
http://www.zo[BLOCKED]rbas.az/osa3.gif
http://www.zs[BLOCKED]bersala.edu.sk/osa3.gif
http://www.tr[BLOCKED]iptonic.ch/osa3.gif
http://www.tv[BLOCKED]-marina.com/osa3.gif
http://www.tr[BLOCKED]avelourway.com/osa3.gif
http://www.me[BLOCKED]gaserve.net/osa3.gif
http://www.tr[BLOCKED]gd.dobrcz.pl/osa3.gif
http://www.mi[BLOCKED]ld.at/osa3.gif
http://www.mi[BLOCKED]ld.at/osa3.gif
http://www.ki[BLOCKED]ngsley.ch/osa3.gif
http://www.mi[BLOCKED]ld.at/osa3.gif
http://www.el[BLOCKED]vis-presley.ch/osa3.gif
http://www.go[BLOCKED]myhome.com.tw/osa3.gif
http://www.id[BLOCKED]er.cl/osa3.gif
http://www.as[BLOCKED]colfibras.com/osa3.gif
http://www.on[BLOCKED]24.ee/osa3.gif
http://www.xo[BLOCKED]jc.com/osa3.gif
http://www.x-[BLOCKED]treme.cz/osa3.gif
http://www.gy[BLOCKED]mzn.cz/osa3.gif
http://www.gy[BLOCKED]mzn.cz/osa3.gif
http://www.gy[BLOCKED]mzn.cz/osa3.gif
http://www.xi[BLOCKED]antong.net/osa3.gif
http://www.xm[BLOCKED]pie.com/osa3.gif
http://www.xm[BLOCKED]pie.com/osa3.gif
http://www.xm[BLOCKED]td.com/osa3.gif
http://www.on[BLOCKED]link.net/osa3.gif
http://www.di[BLOCKED]scoteka-funfactory.com/osa3.gif
http://www.to[BLOCKED]ussain.be/osa3.gif
http://www.id[BLOCKED]cs.be/osa3.gif
http://www.ge[BLOCKED]peters.org/osa3.gif
http://www.an[BLOCKED]gham.de/osa3.gif
http://www.id[BLOCKED]af.de/osa3.gif
http://www.bo[BLOCKED]lz.at/osa3.gif
http://www.so[BLOCKED]cietaet.de/osa3.gif
http://www.pp[BLOCKED]m-alliance.de/osa3.gif
http://www.ud[BLOCKED]c-cassinadepecchi.it/osa3.gif
http://www.un[BLOCKED]iverse.sk/osa3.gif
http://www.ji[BLOCKED]ngjuok.com/osa3.gif
http://www.ge[BLOCKED]mtrox.com.tw/osa3.gif
http://www.us[BLOCKED]powerchair.com/osa3.gif
http://www.st[BLOCKED]eripharm.com/osa3.gif
http://www.be[BLOCKED]all-cpa.com/osa3.gif
http://www.jc[BLOCKED]m-american.com/osa3.gif
http://www.ve[BLOCKED]rcruyssenelektro.be/osa3.gif
http://www.ce[BLOCKED]ntrovestecasa.it/osa3.gif
http://www.ve[BLOCKED]t24h.com/osa3.gif
http://www.vi[BLOCKED]nimeloni.com/osa3.gif
http://www.vn[BLOCKED]rvjiet.ac.in/osa3.gif
http://www.vo[BLOCKED]te2fateh.com/osa3.gif
http://www.ma[BLOCKED]rketvw.com/osa3.gif
http://www.fo[BLOCKED]rmholz.at/osa3.gif
http://www.ch[BLOCKED]eckonemedia.nl/osa3.gif
http://www.fo[BLOCKED]tomax.fi/osa3.gif
http://www.vw[BLOCKED].press-bank.pl/osa3.gif
http://www.wa[BLOCKED]mba.asn.au/osa3.gif
http://www.cz[BLOCKED]-wanjia.com/osa3.gif
http://www.cz[BLOCKED]wanqing.com/osa3.gif
http://www.wd[BLOCKED]lp.co.za/osa3.gif
http://www.au[BLOCKED]tomobilonline.de/osa3.gif
http://www.ba[BLOCKED]ngyan.cn/osa3.gif
http://www.21[BLOCKED]ebuild.com/osa3.gif
http://www.ea[BLOCKED]gle.com.cn/osa3.gif
http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif
http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif
http://www.sa[BLOCKED]njinyuan.com/osa3.gif
http://www.de[BLOCKED]signgong.org/osa3.gif
http://www.fe[BLOCKED]rmegaroy.com/osa3.gif
http://www.we[BLOCKED]lchcorp.com/osa3.gif
http://www.sn[BLOCKED]sphoto.com/osa3.gif
http://www.so[BLOCKED]eco.org/osa3.gif
http://www.so[BLOCKED]ftmajor.ru/osa3.gif
http://www.so[BLOCKED]lt3.org/osa3.gif
http://www.sq[BLOCKED]nsolutions.com/osa3.gif
http://www.sp[BLOCKED]acium.biz/osa3.gif
http://www.sp[BLOCKED]eedcom.home.pl/osa3.gif
http://www.tr[BLOCKED]ago.com.pt/osa3.gif
http://www.sp[BLOCKED]irit-in-steel.at/osa3.gif
http://www.sp[BLOCKED]y.az/osa3.gif
http://www.st[BLOCKED]-paulus-bonn.dehtdocs/osa3.gif
http://www.st[BLOCKED]bs.com.hk/osa3.gif
http://www.ac[BLOCKED]sohio.com/osa3.gif
http://www.ol[BLOCKED]va.com.pe/osa3.gif
http://www.su[BLOCKED]bsplanet.com/osa3.gif
http://www.su[BLOCKED]ngodbio.com/osa3.gif
http://www.su[BLOCKED]perbetcs.com/osa3.gif
http://www.vn[BLOCKED]n.vn/osa3.gif
http://www.sy[BLOCKED]dolo.com/osa3.gif
http://www.sz[BLOCKED]diheng.com/osa3.gif
http://www.ag[BLOCKED]ria.hu/osa3.gif
http://www.ex[BLOCKED]ternet.hu/osa3.gif
http://www.ho[BLOCKED]ndenservice.be/osa3.gif
http://www.eh[BLOCKED]c.hu/osa3.gif
http://www.tc[BLOCKED]icampus.net/osa3.gif
http://www.co[BLOCKED]ntentproject.com/osa3.gif
http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif
http://www.te[BLOCKED]chni.com.cn/osa3.gif
http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif
http://www.th[BLOCKED]aifast.com/osa3.gif
http://www.th[BLOCKED]aiventure.com/osa3.gif
http://www.an[BLOCKED]di.com.vn/osa3.gif
http://www.re[BLOCKED]playu.com/osa3.gif
http://www.th[BLOCKED]-mutan.com/osa3.gif
http://www.th[BLOCKED]etexasoutfitter.com/osa3.gif
http://www.tm[BLOCKED]hcsd1987.friko.pl/osa3.gif
http://www.th[BLOCKED]enextstep.tv/osa3.gif
http://www.th[BLOCKED]enextstep.tv/osa3.gif
http://www.we[BLOCKED]sartproductions.com/osa3.gif
http://www.wi[BLOCKED]lsonscountry.com/osa3.gif
http://www.wi[BLOCKED]ndstar.pl/osa3.gif
http://www.wi[BLOCKED]se-industries.com/osa3.gif
http://www.wi[BLOCKED]told.pl/osa3.gif
http://www.wi[BLOCKED]told.pl/osa3.gif
http://www.51[BLOCKED].net/osa3.gif
http://www.sl[BLOCKED]ovanet.sk/osa3.gif
http://www.wo[BLOCKED]mbband.com/osa3.gif
http://www.da[BLOCKED]tanet.huwww.datanet.hu/osa3.gif
http://www.uw[BLOCKED].hu/osa3.gif
http://www.dg[BLOCKED]y.com.cn/osa3.gif
http://www.bs[BLOCKED]-security.de/osa3.gif
http://www.di[BLOCKED]e-fliesen.de/osa3.gif
http://www.do[BLOCKED]m-invest.com.pl/osa3.gif
http://www.en[BLOCKED]gelhardtgmbh.de/osa3.gif
http://www.tr[BLOCKED]iapex.cz/osa3.gif
http://www.fa[BLOCKED]hrschule-herb.de/osa3.gif
http://www.fa[BLOCKED]hrschule-lesser.de/osa3.gif
http://www.gi[BLOCKED]mex-messzeuge.de/osa3.gif
http://www.in[BLOCKED]side-tgweb.de/osa3.gif
http://www.ju[BLOCKED]e-bo.com/osa3.gif
http://www.ni[BLOCKED]ko.de/osa3.gif
http://www.ni[BLOCKED]kogmbh.com/osa3.gif
http://www.re[BLOCKED]negaderc.com/osa3.gif
http://www.sa[BLOCKED]chsenbuecher.de/osa3.gif
http://www.sc[BLOCKED]vanravenswaaij.nl/osa3.gif
http://www.sp[BLOCKED]oden.de/osa3.gif
http://www.sp[BLOCKED]ortnf.com/osa3.gif
http://www.sw[BLOCKED]eb.cz/osa3.gif
http://www.tg[BLOCKED]-sandhausen-basketball.de/osa3.gif
http://www.th[BLOCKED]efunkiest.com/osa3.gif
http://www.th[BLOCKED]efunkiest.com/osa3.gif
http://www.je[BLOCKED]oushinn.com/osa3.gif
http://www.pr[BLOCKED]esley.ch/osa3.gif
 

NOTE: The list of URLs is intentinally modified. Please contact F-Secure with inquiries for the complete list.

Detection

F-Secure Anti-Virus detects both dropper and downloader with the following update:

Detection Type: PC

Database: 2005-06-26_02

The other dropper variant is detected by the following update:

Detection Type: PC

Database: 2005-06-26_02

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info