Threat Description

Mitglieder.CN

Details

Aliases: Mitglieder.CN, W32/Mitglieder.CN, W32/BagleDownloader.dr, W32/BagleDownloader, Email-Worm.Win32.Bagle.bq, Bagle.BQ
Category: Malware
Type: Trojan
Platform: W32

Summary


This Mitglieder variant appeared on June 26, 2005. The Mitglieder appears to have been seeded to many users.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The main dropper is a PE executable file 36864 bytes long. The dropped file is a DLL file, 9216 bytes long. Both the dropper and the DLL file are packed. NOTE: the dropped DLL is in fact named wiwshost.exe

Installation to system

When the Mitglieder is first run, it copies itself to Windows System directory as WINSHOST.EXE and drops a DLL file named WIWSHOST.EXE there. This DLL file is then injected into Explorer.exe process.

The dropper/injector creates 2 startup keys and one status key for its file in Windows Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "winshost.exe" = "%system%\winshost.exe"   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "winshost.exe" = "%system%\winshost.exe"   

where "%system%" represents Windows System folder. Keys are created to ensure the downloader DLL is injected into Explorer next time the system restarts.

On its first run, a status key is created. If this is the very first run of the Mitglieder, it disguises by opening an empty MSPaint.

[HKCU\Software\FirstRun]  "FirstRunRR" = SZ_DWORD 00000001   
The downloader and its payload

WIWSHOST.EXE file has downloading functionality. It also has functionality that affects various Anti-Virus and Security software. When loaded, it may modify the HOSTS file. Then another piece of code responsible for disabling/altering services with the following names gets control:

wuauserv  PAVSRV  PAVFNSVR  PSIMSVC  Pavkre  PavProt  PREVSRV  PavPrSrv  SharedAccess  navapsvc  NPFMntor  Outpost Firewall  SAVScan  SBService  Symantec Core LC  ccEvtMgr  SNDSrvc  ccPwdSvc  ccSetMgr.exe  SPBBCSvc  KLBLMain  avg7alrt  avg7updsvc  vsmon  CAISafe  avpcc  fsbwsys  backweb client - 4476822  backweb client-4476822  fsdfwd  F-Secure Gatekeeper Handler Starter  FSMA  KAVMonitorService  navapsvc  NProtectService  Norton Antivirus Server  VexiraAntivirus  dvpinit  dvpapi  schscnt  BackWeb Client - 7681197  F-Secure Gatekeeper Handler Starter  FSMA  AVPCC  KAVMonitorService  Norman NJeeves  NVCScheduler  nvcoas  Norman ZANDA  PASSRV  SweepNet  SWEEPSRV.SYS  NOD32ControlCenter  NOD32Service  PCCPFW  Tmntsrv  AvxIni  XCOMM  ravmon8  SmcService  BlackICE  PersFW  McAfee Firewall  OutpostFirewall  NWService  alerter  sharedaccess  NISUM  NISSERV  vsmon  nwclnth  nwclntg  nwclnte  nwclntf  nwclntd  nwclntc  wuauserv  navapsvc  Symantec Core LC  SAVScan  kavsvc  DefWatch  Symantec AntiVirus Client  NSCTOP  Symantec Core LC  SAVScan  SAVFMSE  ccEvtMgr  navapsvc  ccSetMgr  VisNetic AntiVirus Plug-in  McShield  AlertManger  McAfeeFramework  AVExch32Service  AVUPDService  McTaskManager  Network Associates Log Service  Outbreak Manager  MCVSRte  mcupdmgr.exe  AvgServ  AvgCore  AvgFsh  awhost32  Ahnlab task Scheduler  MonSvcNT  V3MonNT  V3MonSvc  FSDFWD   

The trojan starts a thread that deletes the values contained in the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client  HKLM\SOFTWARE\Symantec  HKLM\SOFTWARE\McAfee  HKLM\SOFTWARE\KasperskyLab  HKLM\SOFTWARE\Agnitum  HKLM\SOFTWARE\Panda Software  HKLM\SOFTWARE\Zone Labs   

The trojan also starts a thread that scans all hard drives and deletes file with the following name:

mysuperprog.exe 			  

The trojan stops services with the following names:

SharedAccess  wscsvc   

The trojan creates a thread that kills processes with the following names:

NUPGRADE.EXE  MCUPDATE.EXE  ATUPDATER.EXE  AUPDATE.EXE  AUTOTRACE.EXE  AUTOUPDATE.EXE  FIREWALL.EXE  ATUPDATER.EXE  LUALL.EXE  DRWEBUPW.EXE  AUTODOWN.EXE  NUPGRADE.EXE  OUTPOST.EXE  ICSSUPPNT.EXE  ICSUPP95.EXE  ESCANH95.EXE  AVXQUAR.EXE  ESCANHNT.EXE  UPGRADER.EXE  AVXQUAR.EXE  AVWUPD32.EXE  AVPUPD.EXE  CFIAUDIT.EXE  UPDATE.EXE   

Finally the trojan tries to download a file from several webservers. The file is placed to Window directory as 'ile.exe' and is run. The trojan tries to download from the following hardcoded locations:

https://www.ya[BLOCKED]nnick-spruyt.be/osa3.gif  http://www.ya[BLOCKED]yadownload.com/osa3.gif  http://www.ye[BLOCKED]sterdays.co.za/osa3.gif  http://www.ye[BLOCKED]sterdays.co.za/osa3.gif  http://www.ys[BLOCKED]hkj.com/osa3.gif  http://www.ys[BLOCKED]hkj.com/osa3.gif  http://www.za[BLOCKED]kazcd.dp.ua/osa3.gif  http://www.st[BLOCKED]udents.stir.ac.uk/osa3.gif  http://www.ze[BLOCKED]nesoftware.com/osa3.gif  http://www.ze[BLOCKED]ntek.co.za/osa3.gif  http://www.cz[BLOCKED]zm.com/osa3.gif  http://www.iz[BLOCKED]oli.sk/osa3.gif  http://www.zo[BLOCKED]rbas.az/osa3.gif  http://www.zs[BLOCKED]bersala.edu.sk/osa3.gif  http://www.tr[BLOCKED]iptonic.ch/osa3.gif  http://www.tv[BLOCKED]-marina.com/osa3.gif  http://www.tr[BLOCKED]avelourway.com/osa3.gif  http://www.me[BLOCKED]gaserve.net/osa3.gif  http://www.tr[BLOCKED]gd.dobrcz.pl/osa3.gif  http://www.mi[BLOCKED]ld.at/osa3.gif  http://www.mi[BLOCKED]ld.at/osa3.gif  http://www.ki[BLOCKED]ngsley.ch/osa3.gif  http://www.mi[BLOCKED]ld.at/osa3.gif  http://www.el[BLOCKED]vis-presley.ch/osa3.gif  http://www.go[BLOCKED]myhome.com.tw/osa3.gif  http://www.id[BLOCKED]er.cl/osa3.gif  http://www.as[BLOCKED]colfibras.com/osa3.gif  http://www.on[BLOCKED]24.ee/osa3.gif  http://www.xo[BLOCKED]jc.com/osa3.gif  http://www.x-[BLOCKED]treme.cz/osa3.gif  http://www.gy[BLOCKED]mzn.cz/osa3.gif  http://www.gy[BLOCKED]mzn.cz/osa3.gif  http://www.gy[BLOCKED]mzn.cz/osa3.gif  http://www.xi[BLOCKED]antong.net/osa3.gif  http://www.xm[BLOCKED]pie.com/osa3.gif  http://www.xm[BLOCKED]pie.com/osa3.gif  http://www.xm[BLOCKED]td.com/osa3.gif  http://www.on[BLOCKED]link.net/osa3.gif  http://www.di[BLOCKED]scoteka-funfactory.com/osa3.gif  http://www.to[BLOCKED]ussain.be/osa3.gif  http://www.id[BLOCKED]cs.be/osa3.gif  http://www.ge[BLOCKED]peters.org/osa3.gif  http://www.an[BLOCKED]gham.de/osa3.gif  http://www.id[BLOCKED]af.de/osa3.gif  http://www.bo[BLOCKED]lz.at/osa3.gif  http://www.so[BLOCKED]cietaet.de/osa3.gif  http://www.pp[BLOCKED]m-alliance.de/osa3.gif  http://www.ud[BLOCKED]c-cassinadepecchi.it/osa3.gif  http://www.un[BLOCKED]iverse.sk/osa3.gif  http://www.ji[BLOCKED]ngjuok.com/osa3.gif  http://www.ge[BLOCKED]mtrox.com.tw/osa3.gif  http://www.us[BLOCKED]powerchair.com/osa3.gif  http://www.st[BLOCKED]eripharm.com/osa3.gif  http://www.be[BLOCKED]all-cpa.com/osa3.gif  http://www.jc[BLOCKED]m-american.com/osa3.gif  http://www.ve[BLOCKED]rcruyssenelektro.be/osa3.gif  http://www.ce[BLOCKED]ntrovestecasa.it/osa3.gif  http://www.ve[BLOCKED]t24h.com/osa3.gif  http://www.vi[BLOCKED]nimeloni.com/osa3.gif  http://www.vn[BLOCKED]rvjiet.ac.in/osa3.gif  http://www.vo[BLOCKED]te2fateh.com/osa3.gif  http://www.ma[BLOCKED]rketvw.com/osa3.gif  http://www.fo[BLOCKED]rmholz.at/osa3.gif  http://www.ch[BLOCKED]eckonemedia.nl/osa3.gif  http://www.fo[BLOCKED]tomax.fi/osa3.gif  http://www.vw[BLOCKED].press-bank.pl/osa3.gif  http://www.wa[BLOCKED]mba.asn.au/osa3.gif  http://www.cz[BLOCKED]-wanjia.com/osa3.gif  http://www.cz[BLOCKED]wanqing.com/osa3.gif  http://www.wd[BLOCKED]lp.co.za/osa3.gif  http://www.au[BLOCKED]tomobilonline.de/osa3.gif  http://www.ba[BLOCKED]ngyan.cn/osa3.gif  http://www.21[BLOCKED]ebuild.com/osa3.gif  http://www.ea[BLOCKED]gle.com.cn/osa3.gif  http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif  http://www.ea[BLOCKED]gleclub.com.cn/osa3.gif  http://www.sa[BLOCKED]njinyuan.com/osa3.gif  http://www.de[BLOCKED]signgong.org/osa3.gif  http://www.fe[BLOCKED]rmegaroy.com/osa3.gif  http://www.we[BLOCKED]lchcorp.com/osa3.gif  http://www.sn[BLOCKED]sphoto.com/osa3.gif  http://www.so[BLOCKED]eco.org/osa3.gif  http://www.so[BLOCKED]ftmajor.ru/osa3.gif  http://www.so[BLOCKED]lt3.org/osa3.gif  http://www.sq[BLOCKED]nsolutions.com/osa3.gif  http://www.sp[BLOCKED]acium.biz/osa3.gif  http://www.sp[BLOCKED]eedcom.home.pl/osa3.gif  http://www.tr[BLOCKED]ago.com.pt/osa3.gif  http://www.sp[BLOCKED]irit-in-steel.at/osa3.gif  http://www.sp[BLOCKED]y.az/osa3.gif  http://www.st[BLOCKED]-paulus-bonn.dehtdocs/osa3.gif  http://www.st[BLOCKED]bs.com.hk/osa3.gif  http://www.ac[BLOCKED]sohio.com/osa3.gif  http://www.ol[BLOCKED]va.com.pe/osa3.gif  http://www.su[BLOCKED]bsplanet.com/osa3.gif  http://www.su[BLOCKED]ngodbio.com/osa3.gif  http://www.su[BLOCKED]perbetcs.com/osa3.gif  http://www.vn[BLOCKED]n.vn/osa3.gif  http://www.sy[BLOCKED]dolo.com/osa3.gif  http://www.sz[BLOCKED]diheng.com/osa3.gif  http://www.ag[BLOCKED]ria.hu/osa3.gif  http://www.ex[BLOCKED]ternet.hu/osa3.gif  http://www.ho[BLOCKED]ndenservice.be/osa3.gif  http://www.eh[BLOCKED]c.hu/osa3.gif  http://www.tc[BLOCKED]icampus.net/osa3.gif  http://www.co[BLOCKED]ntentproject.com/osa3.gif  http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif  http://www.te[BLOCKED]chni.com.cn/osa3.gif  http://www.fe[BLOCKED]stivalteatrooccidente.com/osa3.gif  http://www.th[BLOCKED]aifast.com/osa3.gif  http://www.th[BLOCKED]aiventure.com/osa3.gif  http://www.an[BLOCKED]di.com.vn/osa3.gif  http://www.re[BLOCKED]playu.com/osa3.gif  http://www.th[BLOCKED]-mutan.com/osa3.gif  http://www.th[BLOCKED]etexasoutfitter.com/osa3.gif  http://www.tm[BLOCKED]hcsd1987.friko.pl/osa3.gif  http://www.th[BLOCKED]enextstep.tv/osa3.gif  http://www.th[BLOCKED]enextstep.tv/osa3.gif  http://www.we[BLOCKED]sartproductions.com/osa3.gif  http://www.wi[BLOCKED]lsonscountry.com/osa3.gif  http://www.wi[BLOCKED]ndstar.pl/osa3.gif  http://www.wi[BLOCKED]se-industries.com/osa3.gif  http://www.wi[BLOCKED]told.pl/osa3.gif  http://www.wi[BLOCKED]told.pl/osa3.gif  http://www.51[BLOCKED].net/osa3.gif  http://www.sl[BLOCKED]ovanet.sk/osa3.gif  http://www.wo[BLOCKED]mbband.com/osa3.gif  http://www.da[BLOCKED]tanet.huwww.datanet.hu/osa3.gif  http://www.uw[BLOCKED].hu/osa3.gif  http://www.dg[BLOCKED]y.com.cn/osa3.gif  http://www.bs[BLOCKED]-security.de/osa3.gif  http://www.di[BLOCKED]e-fliesen.de/osa3.gif  http://www.do[BLOCKED]m-invest.com.pl/osa3.gif  http://www.en[BLOCKED]gelhardtgmbh.de/osa3.gif  http://www.tr[BLOCKED]iapex.cz/osa3.gif  http://www.fa[BLOCKED]hrschule-herb.de/osa3.gif  http://www.fa[BLOCKED]hrschule-lesser.de/osa3.gif  http://www.gi[BLOCKED]mex-messzeuge.de/osa3.gif  http://www.in[BLOCKED]side-tgweb.de/osa3.gif  http://www.ju[BLOCKED]e-bo.com/osa3.gif  http://www.ni[BLOCKED]ko.de/osa3.gif  http://www.ni[BLOCKED]kogmbh.com/osa3.gif  http://www.re[BLOCKED]negaderc.com/osa3.gif  http://www.sa[BLOCKED]chsenbuecher.de/osa3.gif  http://www.sc[BLOCKED]vanravenswaaij.nl/osa3.gif  http://www.sp[BLOCKED]oden.de/osa3.gif  http://www.sp[BLOCKED]ortnf.com/osa3.gif  http://www.sw[BLOCKED]eb.cz/osa3.gif  http://www.tg[BLOCKED]-sandhausen-basketball.de/osa3.gif  http://www.th[BLOCKED]efunkiest.com/osa3.gif  http://www.th[BLOCKED]efunkiest.com/osa3.gif  http://www.je[BLOCKED]oushinn.com/osa3.gif  http://www.pr[BLOCKED]esley.ch/osa3.gif   

NOTE: The list of URLs is intentinally modified. Please contact F-Secure with inquiries for the complete list.



Detection


F-Secure Anti-Virus detects both dropper and downloader with the following update:

Detection Type: PC
Database: 2005-06-26_02

The other dropper variant is detected by the following update:

Detection Type: PC
Database: 2005-06-26_02



Technical Details:Tzvetan Chaliavski, June 26, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More