Threat Encyclopedia

W32/Mitglieder.VJ!tr

description-logoAnalysis

  • This trojan pretends to be a key generator. On its first execution, it shows an Open File  dialog box. After the user selects a file, it shows the following error message box:
    Incorrect file version
  • It drops the following files:
    • undefinedSYSTEMundefined\hldrrr.exe
  • It tries to access the following URL(s):
    • http://www.chapister{REMOVED}.com/mul5.php
    • http://charles{REMOVED}.com/mul5.php
    • http://cha{REMOVED}.cz/mul5.php
    • http://www.chit{REMOVED}.com/mul5.php
    • http://chec{REMOVED}.com/mul5.php
    • http://cibe{REMOVED}.com.ar/mul5.php
    • http://505{REMOVED}.com/mul5.php
    • http://cof66{REMOVED}.net/mul5.php
    • http://coma{REMOVED}.net/mul5.php
    • http://conc{REMOVED}.com/mul5.php
    • http://www.co{REMOVED}.ru/mul5.php
    • http://do{REMOVED}.com/mul5.php
    • http://www.cr{REMOVED}.com/mul5.php
    • http://kre{REMOVED}.ru/mul5.php
    • http://dev.jin{REMOVED}.com/mul5.php
    • http://fox{REMOVED}.com/mul5.php
    • http://uwu{REMOVED}.org/mul5.php
    • http://v-v-ko{REMOVED}.ic.cz/mul5.php
    • http://erich-kaes{REMOVED}.de/mul5.php
    • http://van{REMOVED}.com/mul5.php
    • http://axe{REMOVED}.hu/mul5.php
    • http://kisa{REMOVED}.com/mul5.php
    • http://veg{REMOVED}com/mul5.php
    • http://vi{REMOVED}.ru/mul5.php
    • http://vira{REMOVED}.com/mul5.php
    • http://svat{REMOVED}.cz/mul5.php
    • http://Vivamo{REMOVED}.com/mul5.php
    • http://vkinf{REMOVED}.com/mul5.php
    • http://vytu{REMOVED}com/mul5.php
    • http://waise{REMOVED}.ch/mul5.php
    • http://watsr{REMOVED}.org/mul5.php
    • http://www.ag.oh{REMOVED}.edu/mul5.php
    • http://wbec{REMOVED}.com/mul5.php
    • http://cala{REMOVED}.com/mul5.php
    • http://vpr{REMOVED}com/mul5.php
    • http://grup{REMOVED}.de/mul5.php
    • http://kn{REMOVED}de/mul5.php
    • http://dog{REMOVED}.ch/mul5.php
    • http://system{REMOVED}.de/mul5.php
    • http://zeb{REMOVED}.net/mul5.php
    • http://www.wal{REMOVED}.de/mul5.php
    • http://hotc{REMOVED}.de/mul5.php
    • http://innova{REMOVED}.net/mul5.php
    • http://mas{REMOVED}.de/mul5.php
    • http://we{REMOVED}hu/mul5.php
    • http://web{REMOVED}.com/mul5.php
    • http://we{REMOVED}.com/mul5.php
    • http://www.ag{REMOVED}.edu/mul5.php
    • http://poliklin{REMOVED}.sk/mul5.php
    • http://wvp{REMOVED}.org/mul5.php
    • http://www.ker{REMOVED}.de/mul5.php
    • http://www.kljbw{REMOVED}.de/mul5.php
    • http://www.vo{REMOVED}.de/mul5.php
    • http://www.wch{REMOVED}.cz/mul5.php
    • http://www.wg-auf{REMOVED}.de/mul5.php
    • http://www.wzh{REMOVED}.com/mul5.php
    • http://zsn{REMOVED}.sk/mul5.php
    • http://xotr{REMOVED}.ru/mul5.php
    • http://ilik{REMOVED}.com/mul5.php
    • http://yeni{REMOVED}.com/mul5.php
  • Saves the downloaded programs to undefinedWINDOWSundefined\exefld  and runs each program.

  • Creates the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: hldrrr
    • data: undefinedSYSTEMundefined\hldrrr.exe
    • key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: hldrrr
    • data: undefinedSYSTEMundefined\hldrrr.exe
    • key: HKCU\Software\\FirstRRRun
    • value: FirstRR1232Run
    • data: 1

    recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.