virus logo Virus

W32/Mitglieder.VJ!tr

description-logoAnalysis

  • This trojan pretends to be a key generator. On its first execution, it shows an Open File  dialog box. After the user selects a file, it shows the following error message box:
    Incorrect file version
  • It drops the following files:
    • undefinedSYSTEMundefined\hldrrr.exe
  • It tries to access the following URL(s):
    • http://www.chapister{REMOVED}.com/mul5.php
    • http://charles{REMOVED}.com/mul5.php
    • http://cha{REMOVED}.cz/mul5.php
    • http://www.chit{REMOVED}.com/mul5.php
    • http://chec{REMOVED}.com/mul5.php
    • http://cibe{REMOVED}.com.ar/mul5.php
    • http://505{REMOVED}.com/mul5.php
    • http://cof66{REMOVED}.net/mul5.php
    • http://coma{REMOVED}.net/mul5.php
    • http://conc{REMOVED}.com/mul5.php
    • http://www.co{REMOVED}.ru/mul5.php
    • http://do{REMOVED}.com/mul5.php
    • http://www.cr{REMOVED}.com/mul5.php
    • http://kre{REMOVED}.ru/mul5.php
    • http://dev.jin{REMOVED}.com/mul5.php
    • http://fox{REMOVED}.com/mul5.php
    • http://uwu{REMOVED}.org/mul5.php
    • http://v-v-ko{REMOVED}.ic.cz/mul5.php
    • http://erich-kaes{REMOVED}.de/mul5.php
    • http://van{REMOVED}.com/mul5.php
    • http://axe{REMOVED}.hu/mul5.php
    • http://kisa{REMOVED}.com/mul5.php
    • http://veg{REMOVED}com/mul5.php
    • http://vi{REMOVED}.ru/mul5.php
    • http://vira{REMOVED}.com/mul5.php
    • http://svat{REMOVED}.cz/mul5.php
    • http://Vivamo{REMOVED}.com/mul5.php
    • http://vkinf{REMOVED}.com/mul5.php
    • http://vytu{REMOVED}com/mul5.php
    • http://waise{REMOVED}.ch/mul5.php
    • http://watsr{REMOVED}.org/mul5.php
    • http://www.ag.oh{REMOVED}.edu/mul5.php
    • http://wbec{REMOVED}.com/mul5.php
    • http://cala{REMOVED}.com/mul5.php
    • http://vpr{REMOVED}com/mul5.php
    • http://grup{REMOVED}.de/mul5.php
    • http://kn{REMOVED}de/mul5.php
    • http://dog{REMOVED}.ch/mul5.php
    • http://system{REMOVED}.de/mul5.php
    • http://zeb{REMOVED}.net/mul5.php
    • http://www.wal{REMOVED}.de/mul5.php
    • http://hotc{REMOVED}.de/mul5.php
    • http://innova{REMOVED}.net/mul5.php
    • http://mas{REMOVED}.de/mul5.php
    • http://we{REMOVED}hu/mul5.php
    • http://web{REMOVED}.com/mul5.php
    • http://we{REMOVED}.com/mul5.php
    • http://www.ag{REMOVED}.edu/mul5.php
    • http://poliklin{REMOVED}.sk/mul5.php
    • http://wvp{REMOVED}.org/mul5.php
    • http://www.ker{REMOVED}.de/mul5.php
    • http://www.kljbw{REMOVED}.de/mul5.php
    • http://www.vo{REMOVED}.de/mul5.php
    • http://www.wch{REMOVED}.cz/mul5.php
    • http://www.wg-auf{REMOVED}.de/mul5.php
    • http://www.wzh{REMOVED}.com/mul5.php
    • http://zsn{REMOVED}.sk/mul5.php
    • http://xotr{REMOVED}.ru/mul5.php
    • http://ilik{REMOVED}.com/mul5.php
    • http://yeni{REMOVED}.com/mul5.php
  • Saves the downloaded programs to undefinedWINDOWSundefined\exefld  and runs each program.

  • Creates the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: hldrrr
    • data: undefinedSYSTEMundefined\hldrrr.exe
    • key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • value: hldrrr
    • data: undefinedSYSTEMundefined\hldrrr.exe
    • key: HKCU\Software\\FirstRRRun
    • value: FirstRR1232Run
    • data: 1

    recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extreme
    FortiClient
    Extended
    FortiMail
    Extended
    FortiSandbox
    Extended
    FortiWeb
    Extended
    Web Application Firewall
    Extended
    FortiIsolator
    Extended
    FortiDeceptor
    Extended
    FortiEDR
    ID 318761
    Released Jan 06, 2007
    Description
    Updated    		 Jan 08, 2007
    Aliases .
    Platform Profile Win32 file format / PE 32 bit