FRISK Software International

Summary of W32/Mitglieder.GB
Discovered: 2 Nov 2005
Definition files: 2 Nov 2005
Risk Level: Medium
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
Mitglieder.GB is a downloader trojan. It's incapable of spreading itself. It modifies registry to make sure it's run at startup and injects its dll component into explorer.exe. The dll component runs in an endless loop trying to download files from multiple locations on the internet. If it manages to download any, they are executed.

Technical Description
When first run Mitglieder.GB copies itself to %WINDIR%\system32\hloader_exe.exe and drops the file hleader_dll.dll to the same directory (also detected as Mitglieder.GB). Then it injects the file hleader_dll.dll into explorer.exe. It adds the value:


to the keys:


When all this is done the process terminates and only the dll component continues running in explorer's namespace.

The dll component runs in an endless loop checking if the infected computer is connected to the internet and if so, tries to download a file named w.php from multiple URLs. It creates directory %WINDIR%\exefld and downloads the file there under a random name. If it manages to download then it's executed.

Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)