Visible Symptoms
- Possible firewall alert that the infected system
is attempting to access the Internet using TCP port
11117
- Creation of these files into the System32 folder
-
system.exe - 19,968 bytes
irun4.exe - 14,848 bytes
iinj4.exe - 1,536 bytes
ban_list.txt - 4,100+ bytes
-
Web traffic logs have reference to the web file
"ngr2.php" and "banlist.php"
Detailed Analysis
Specifics
Trojan is 32-bit and is a very variant of W32/Mitglieder.C-tr.
The Mitglieder Trojan and the Bagle virus families share
some code and structure. This Trojan functions as an
SMTP mail relay on a compromised system.
Loading At Windows Startup
If the Trojan is run, it will extract other files and
store them into the System32 folder -
C:\WINNT\Sytem32\system.exe - dropper for Mitglieder.D
C:\WINNT\System32\irun4.exe - Mitglieder.D
C:\WINNT\System32\iinj4.exe - loader for Mitglieder.D
The Trojan will adjust the registry to auto run the
Trojan at next Windows startup as in this example -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"ssgrate.exe" = C:\WINNT\System32\irun4.exe
Application Termination Payload
This Trojan may attempt to close processes or applications
matching the following names -
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
SMTP Proxy/Remote Access Capability
This Trojan will bind to TCP port 11117 and await instructions
from a malicious user. Instructions could be to carry
out SMTP delivery via the Trojan's SMTP proxy code.
The Trojan will attempt to notify the Trojan author
by connecting to compromised web servers and using a
server-side script named "ngr2.php", the Trojan
will submit the TCP port in use and the IP address of
the compromised system. The Trojan author compromised
several German and Russian websites and probably has
at least read access to these sites in order to retrieve
the logged IP addresses of compromised systems.
These are the list of compromised web servers and directory
paths which are storing the server-side script "ngr2.php"
-
http://alfinternational.ru/old/oli-lack_katalog/
http://artesproduction.com/
http://comdat.de/kreta/
http://gaz-service.ru/img/pict/
http://mir-auto.ru/
http://rdwufa.ru/img/pict/
http://www.bbszene.de/store/images/video_amazon/
http://www.ctn.ru/marketing/images/
http://www.deadlygames.de/DG/BF/BF-Links/clans/
http://www.eurostretch.ru/
http://www.gasterixx.de/gfx/
http://www.gebr-wachs.de/mod/san_beratung/thumb/
http://www.hhc-online.de/home/links/pics/
http://www.joerrens.de/system/include/crc.php
http://www.komandor.ru/sessions/
http://www.lords-of-havoc.de/Avatare/
http://www.lowenbrau.ru/manager_old/images/
http://www.mirage.ru/sport/omega/pic/omega/
http://www.o-problemo.de/gaestebuch/
http://www.psnr.ru/rus/images/banners/
http://www.ranknet.de/LVS/pics/_notes/
http://www.tv87.de/subdomain_la/Fachwart/
The Trojan also will retrieve a text file named "banlist.php"
containing IP addresses. This PHP file is stored on
these compromised web servers -
http://alfinternational.ru/old/oli-lack_katalog/
http://gaz-service.ru/img/pict/
http://rdwufa.ru/img/pict/
http://www.ctn.ru/marketing/images/
http://www.komandor.ru/sessions/
http://www.lowenbrau.ru/manager_old/images/
http://www.mirage.ru/sport/omega/pic/omega/
http://www.psnr.ru/rus/images/banners/
The PHP file "banlist.php" is stored into
the System32 folder with the proxy Trojan as the file
name "ban_list.txt".
The Trojan makes additional registry entries which
are used by the Trojan -
HKEY_CURRENT_USER\Software\DateTime
"port" = 6D, 2B, 00, 00 <= hex for TCP
port '11117'
"r4dr" = 01, 00, 00, 00 <= binary for 'yes'
"uid" = [time of infection, in seconds since
Jan 1 1970 00:00]
|