This application requires Javascript for optimal performance.

W32/Mitglieder.FE - Released Sep 19, 2005

Alias/es Email-Worm.Win32.Bagle.cy [KAV], Troj/Bagle.CU [Antivir], Troj/BagleDL-U [Sophos], TROJ_BAGLE.DA [Trend], Trojan.Tooso.O [NAV], W32/Bagle.CJ-mm, W32/Bagle.CJ@mm [BitDefender], W32/Mitglieder.FE [F-Prot], Worm.Bagle.BS [ClamAV]
Visible Symptoms Unexpected firewall, Antivirus or various other security related applications terminate after opening an attachment of an email
Detailed Analysis This variant of Bagle was spammed to numerous email recipients on September 19, 2005. It may have arrived as an attachment to an email message either as an .EXE file or .ZIP file. The Trojan (if run) will write a copy of itself to the system and also extract a .DLL component. The .DLL component code is injected into the Windows shell (EXPLORER.EXE) in order to make its code stealthy. This threat is coded to attempt to retrieve a binary file from one of a number of hard-coded web sites. At the time of this writing, the file retrieve process failed due to the file not being present on the servers, or the servers were unreachable. Load at Windows Startup If this Trojan is run, it will copy itself to the System32 folder, along with a .DLL component (wiwshost.exe) - c:\WINNT\system32\winshost.exe [35,841 bytes] c:\WINNT\system32\wiwshost.exe [7,794 bytes] This Trojan modifies the registry to auto load the Trojan at each Windows logon or startup - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ "winshost.exe" = C:\WINNT\System32\winshost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "winshost.exe" = C:\WINNT\System32\winshost.exe This Trojan creates an additional registry key data entry - HKEY_CURRENT_USER\Software\FirstRun "FirstRunRR" = 01 This could be an internal counter for use by the Trojan to know if it has run once only or has executed more than once. Security application termination In addition to terminating Antivirus, firewall and debugging applications, the Trojan may delete registry keys responsible for loading the same programs. For example, the key listed below is related to Zone Alarm [a firewall application] and was deleted by the Trojan in testing - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Zone Labs Client" = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe File modifications This Trojan modifies the "hosts" DNS name resolution config file, simply reducing its content to a single line - 127.0.0.1 localhost File download routine This Trojan attempts to retrieve a file OSA6.GIF from hard-coded web sites stored in the Trojan body. At the time of this writing, the file retrieve process failed due to the file not being present on the servers, or the servers were unreachable. Process injection When this Trojan is executed, it will inject its code into the Windows shell EXPLORER.EXE in order to stealth its presence. Also, by running in the same process space as Explorer, it is much more difficult to isolate and terminate using conventional process utilities.
Recommended Action FortiGate systems: check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option enable pattern file blocking on "osa6.gif" to prevent W32/Mitglieder from downloading further components

Reference: ID - 323285

Current Threat Level

Vulnerabilities

Virus/Spyware

Spam

PGP Keys

Contact Form

Copyright © 2011 Fortinet Inc. All Rights Reserved