W32/Mitglieder.fam!tr

Alias/esEmail-Worm.Win32.Bagle.dk [KAV], Email-Worm.Win32.Bagle.dp [KAV], Troj/BagDl-Gen [Sophos], TROJ_BAGLE.DA [Trend], Trojan.Tooso.Q [NAV], W32/Bagle.gen [McAfee], W32/Mitglieder.fam, W32/Mitglieder.fam-tr, W32/Mitglieder.FK [F-Prot], W32/Mitglieder.FK-tr, W32
Release DateMay 07, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 11.587
Description

Visible Symptoms

  • Unexpected firewall, Antivirus or various other security related applications terminate after opening an attachment of an email

Detailed Analysis

Several Mitglieder threats were spammed to numerous email recipients on September 20, 2005. It may have arrived as an attachment to an email message either as an .EXE file or .ZIP file.

MD5 Checksum Actual variant ID Relative file name
a68f520aa14b6c3b92db4f0934120996
0b3674f22bc7149c737b1b1133beb726
aad4a3c6e090e2687320f19e4f3f8034
3713c5a204da99721fb5fe4ea7021ced
1071e87bc961615a2e169a2340bc5c80
33e8e59aa5773978e4e9aa1b0db28a4e
9a224276a9eede6b85b2b3770e016f11
555573598640743dde5c2df992e5cbe3
2e5e131e4d5a6500b94f68d1c11ffcc5

W32/Mitglieder.FK!tr
W32/Mitglieder.FL!tr
W32/Mitglieder.FM!tr
W32/Mitglieder.FN!tr
W32/Mitglieder.FO!tr
W32/Mitglieder.FP!tr
W32/Mitglieder.FQ!tr
W32/Mitglieder.FR!tr
W32/Mitglieder.FS!tr

 09_price.exe
20_price.exe
19_09.exe
20_price.exe
20_price.exe
20_09.exe
03.exe
02.exe
09.exe

The Trojan (if run) will write a copy of itself to the system and also extract a .DLL component. The .DLL component code is injected into the Windows shell (EXPLORER.EXE) in order to make its code stealthy.

This threat is coded to attempt to retrieve a binary file from one of a number of hard-coded web sites. At the time of this writing, the file retrieve process failed due to the file not being present on the servers, or the servers were unreachable.

Load at Windows Startup
If this Trojan is run, it will copy itself to the System32 folder, along with a .DLL component. This Trojan modifies the registry to auto load the Trojan at each Windows logon or startup.

Security application termination
In addition to terminating Antivirus, firewall and debugging applications, the Trojan may delete registry keys responsible for loading the same programs. For example, the key listed below is related to Zone Alarm [a firewall application] and was deleted by the Trojan in testing -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Zone Labs Client" = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

File modifications
This Trojan modifies the "hosts" DNS name resolution config file, simply reducing its content to a single line -

127.0.0.1 localhost

File download routine
This Trojan attempts to retrieve a file OSA6.GIF from hard-coded web sites stored in the Trojan body. At the time of this writing, the file retrieve process failed due to the file not being present on the servers, or the servers were unreachable.

Process injection
When this Trojan is executed, it will inject its code into the Windows shell EXPLORER.EXE in order to stealth its presence. Also, by running in the same process space as Explorer, it is much more difficult to isolate and terminate using conventional process utilities.

Description Last Updated Date: Mar 13, 2007
Reference: ID - 5434