W32/Mitglieder.TD!tr.dldr

Alias/esEmail-Worm.Win32.Bagle.gh [KAV], PE_FINALDO.B [Trend], Troj/BagleDl-BR [Sophos], W32/Bagle.JG.worm [Panda], W32/Finaldo.B
Release DateMay 28, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.339
Description

Visible Symptoms

  • Possible firewall alert that a file "hldrrr.exe" is trying to connect to external web sites using TCP port 80

  • Creation of the file "hdlrrr.exe" into the %System% folder on compromised systems

Detailed Analysis

This Trojan is yet another in a long line of downloader Trojans for the family Mitglieder. It attempts to contact numerous compromised web sites and download a binary file named "mul.php" or "nul.php". As of yet, the file is not available to the Trojan.

The Trojan tries to contact these sites -

ujscie.one.pl
1point2.iae.nl
appaloosa.no
apromed.com
arborfolia.com
pawlacz.com
areal-realt.ru
bitel.ru
yetii.no-ip.com
art4u1.superhost.pl
www.artbed.pl
art-bizar.foxnet.pl
www.jonogueira.com
asdesign.cz
ftp-dom.earthlink.net
www.aureaorodeley.com
www.autoekb.ru
www.autovorota.ru
avenue.ee
www.avinpharma.ru
ouarzazateservices.com
stats-adf.altadis.com
bartex-cit.com.pl
bazarbekr.sk
gnu.univ.gda.pl
bid-usa.com
biliskov.com
biomedpel.cz
blackbull.cz
bohuminsko.cz
bonsai-world.com.au
bpsbillboards.com
cadinformatics.com
canecaecia.com
www.castnetmultimedia.com
compucel.com
continentalcarbonindia.com
ceramax.co.kr
prime.gushi.org
www.chapisteriadaniel.com
charlesspaans.com
chatsk.wz.cz
www.chittychat.com
checkalertusa.com
cibernegocios.com.ar
5050clothing.com
cof666.shockonline.net
comaxtechnologies.net
concellodesandias.com
www.cort.ru
donchef.com
www.crfj.com
kremz.ru
dev.jintek.com
foxvcoin.com
uwua132.org
v-v-kopretiny.ic.cz
erich-kaestner-schule-donaueschingen.de
vanvakfi.com
axelero.hu
kisalfold.com
vega-sps.com
vidus.ru
viralstrategies.com
svatba.viskot.cz
Vivamodelhobby.com
vkinfotech.com
vytukas.com
waisenhaus-kenya.ch
watsrisuphan.org
www.ag.ohio-state.edu
wbecanada.com
calamarco.com
vproinc.com
grupdogus.de
knickimbit.de
dogoodesign.ch
systemforex.de
zebrachina.net
www.walsch.de
hotchillishop.de
innovation.ojom.net
massgroup.de
web-comp.hu
webfull.com
welvo.com
www.ag.ohio-state.edu
poliklinika-vajnorska.sk
wvpilots.org
www.kersten.de
www.kljbwadersloh.de
www.voov.de
www.wchat.cz
www.wg-aufbau-bautzen.de
www.wzhuate.com
zsnabreznaknm.sk
xotravel.ru
ilikesimple.com
yeniguntugla.com

The Trojan installs itself into the %System% folder and creates an auto-load entry in the registry -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
hldrrr = C:\WINNT\System32\hldrrr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
hldrrr = C:\WINNT\System32\hldrrr.exe

 

Description Last Updated Date: May 29, 2006
Reference: ID - 254603