FRISK Software International


Summary of W32/Mitglieder.FE
Discovered: 19 Sep 2005
Definition files: 19 Sep 2005
Risk Level: Medium
Distribution:Low
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
When this malware first executes, the computer's CPU goes to full usage for about a minute and then notepad is started up with a blank document. The malware then adds registry entries to make sure it is run at startup and tries to download and execute a file from a list of domain names. It also has a list of antivirus and firewall processes that it terminates if found and file names that are deleted.


Technical Description
Uses unknown anti-emulation and -debugging packer which is CPU intense.

Copies itself as winshost.exe to %WINDIR%\system32 and drops file wiwshost.exe (also detected as W32/Mitglieder.FE) in the same directory.

Terminates processes:

ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
UPGRADER.EXE

Modifies the registry in the following way:

adds value:

"winshost.exe"="%WINDIR%\system32\winshost.exe"

to the keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

to make sure it's run at startup.

and value:

"FirstRunRR"=1

to the key:

[HKEY_CURRENT_USER\Software\FirstRun]

as an infection marker.

Tries to delete the values:

APVXDWIN
avg7_cc
avg7_emc
ccApp
KAV50
McAfee Guardian
McAfee.InstantUpdate.Monitor
NAV CfgWiz
SSC_UserPrompt
Symantec NetDriver Monitor
Zone Labs Client

from the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

and tries to delete the keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec]
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Agnitum]
[HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software]
[HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs]

disables services by changing values to:

"Start"=4

in the keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%service_name%]

for following %service_name%:

Ahnlab task Scheduler
alerter
AlertManger
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
avpcc
AVPCC
AVUPDService
AvxIni
awhost32
backweb client - 4476822
BackWeb Client - 7681197
backweb client-4476822
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
DefWatch
dvpapi
dvpinit
fsbwsys
FSDFWD
fsdfwd
F-Secure Gatekeeper Handler Starter
KAVMonitorService
kavsvc
KLBLMain
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
PREVSRV
PSIMSVC
ravmon8
SAVFMSE
SAVScan
SBService
schscnt
sharedaccess
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus Plug-in
vsmon
wuauserv
XCOMM


Tries to find file named osa6.gif on various sites and if found downloads it to %WINDIR%\_re_file.exe and executes it.

On all accessible hard drives it tries to delete files named:

a5v.dll
AUPD1ATE.EXE
AUPDATE.EXE
av.dll
Av1synmgr.exe
Avc1onsol.exe
Avconsol.exe
avg23emc.exe
avgc3c.exe
avgcc.exe
avgemc.exe
Avsynmgr.exe
C1CSETMGR.EXE
c6a5fix.exe
cafix.exe
CC1EVTMGR.EXE
cc1l30.dll
ccA1pp.exe
ccApp.exe
CCEVTMGR.EXE
ccl30.dll
CCSETMGR.EXE
ccv1rtrst.dll
ccvrtrst.dll
CM1Grdian.exe
CMGrdian.exe
is5a6fe.exe
isafe.exe
K2A2V.exe
KAV.exe
kav12mm.exe
kavmm.exe
LUAL1L.EXE
LUALL.EXE
LUI1NSDLL.DLL
LUINSDLL.DLL
Luup1date.exe
Luupdate.exe
Mcsh1ield.exe
Mcshield.exe
mysuperprog.exe
NAV1APSVC.EXE
NAVAPSVC.EXE
NPFM1NTOR.EXE
NPFMNTOR.EXE
outp1ost.exe
outpost.exe
RuLa1unch.exe
RuLaunch.exe
s1ymlcsvc.exe
SND1Srvc.exe
SNDSrvc.exe
SP1BBCSvc.exe
SPBBCSvc.exe
symlcsvc.exe
Up222Date.exe
Up2Date.exe
ve6tre5dir.dll
vetredir.dll
Vs1Stat.exe
vs6va5ult.dll
Vshw1in32.exe
Vshwin32.exe
VsStat.exe
vsvault.dll
zatu6tor.exe
zatutor.exe
zl5avscan.dll
zlavscan.dll
zlcli6ent.exe
zlclient.exe
zo3nealarm.exe
zonealarm.exe

Overwrites the file %WINDIR%\system32\drivers\etc\hosts with this single line:

127.0.0.1 localhost



Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is