W32/Mitglieder.GX!tr

Alias/esEmail-Worm.Win32.Bagle.fb [KAV], Troj/BagleDl-AP [Sophos], Trojan.Bagle.BN [ClamAV], Trojan.Lodear.G [NAV], W32/Mitglieder.GW [F-Prot]
Release DateDec 20, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • creation of "anti_troj.exe" into the System32 folder

  • the malicious file has an icon that resembles a picture file type

Detailed Analysis

This Trojan may be received in an email message as an attachment, and possibly within a .ZIP file.

c:\WINNT\system32\anti_troj.exe

If the Trojan is run, it may display a graphic image file that is stored in the System32 folder named "ntimage.gif" - displaying this image is a distraction. The Trojan then registers itself to run at Windows startup via a registry key modification -

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"anti_troj" = C:\WINNT\System32\anti_troj.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"anti_troj" = C:\WINNT\System32\anti_troj.exe

After the Trojan loads on restart of Windows, it attempts to connect to hard-coded web sites and retrieve a file named "a.php". Below is a list of sites the Trojan will try to contact (these sites were very likely compromised by the malware author) -

150m.com
202.44.52.38
209.126.128.203
65.108.195.73
80.146.233.41
abtechsafety.com
abtechsafety.com
acentrum.pl
adamant-np.ru
adavenue.net
adoptionscanada.ca
adventecgroup.com
agenciaspublicidadinternet.com
agroturystyka.artneo.pl
ahava.cafe24.com
aibsnlea.org
aikidan.com
ala-bg.net
alevibirligi.ch
alfaclassic.sk
allanconi.it
allinfo.com.au
americarising.com
americasenergyco.com
amerykaameryka.com
amistra.com
analisisyconsultoria.com
bakelit.hu
barth.serwery.pl
batlground.com
bbrealservis.sk
befag.ru
benininfo.com
bennylife.com
bestcheapdomainregistration.info
bidsforbaby.com
binhaigolf.com
biotenk.com
bitsolution.ro
bmswijndepot.com
boldrussell.com
bronko-m.ru
bulkemaildirectmarketing.com
bulkemailservicenow.com
calamarco.com
calidad.biz
cansew.ca
cansultdubai.ae
casaquecanta.com
casino-malibu.ru
ccooaytomadrid.org
chilotitomarino.cl
chinaculturedpearl.com
colin18.com
connectesl.com
drinkwater.ru
eleceltek.com
encansbelec.com
furdoszoba.info
kepter.kz
khonkaenpoc.com
leap.co.il
mijusungdo.net
nmtltd.com
nuclear.com.pl
sacafterdark.net
timecontrol.com.pl
tkdami.net
ubu.pl
virt33.kei.pl
vnettools.com

Description Last Updated Date: Dec 21, 2005
Reference: ID - 138961