Mitglieder.HH - F-Prot Antivirus Virus Information

Virus Info > Virus Threats > Mitglieder.HH

W32/Mitglieder.HH

Summary of W32/Mitglieder.HH
Discovered:	26 Dec 2005
Definition files:	26 Dec 2005
Risk Level:	Medium
Distribution:	Medium

Jump to:

Brief description
Technical description
Removal Instructions

Brief Description

W32/Mitglieder.HH is a downloader trojan. It's incapable of spreading itself. It modifies registry to make sure it's run at startup. It runs in an endless loop trying to download files from multiple locations on the internet. If it manages to download any, they are executed.

Technical Description

When first run W32/Mitglieder.HH copies itself to %WINDIR%\system32\anti_troj.exe and drops the file ntimage.gif to the same directory. It opens Internet Explorer to view the gif picture. The picture looks like this:

It adds the value:

"anti_troj"="%WINDIR%\system32\anti_troj.exe"

to the keys:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

and the as value:

"FirstRRRun"=1

to the key:

[HKEY_CURRENT_USER\Software\FirstRRRun]

as an infection marker.

The trojan runs in an endless loop checking if the infected computer is connected to the internet and if so, tries to download a file named b..php from multiple URLs. It creates directory %WINDIR%\exefld and downloads the file there under a random name. If a file is downloaded then it's executed.

Removal Instructions

For general removal instructions please click here.

Marteinn Þór Harðarson

Virus Info by Platform

W32	Script	Macro
DOS	UNIX	All

Virus Info by Letter:

A	B	C	D	E	F
G	H	I	J	K	L
M	N	O	P	Q	R
S	T	U	V	W	X
Y	Z	All

F-PROT Antivirus Alerts

Stay up to date with important developments via e-mail.

Life cycle policy

Stay up to date with life cycle policies for F-PROT Antivirus for Windows.

Virus news and information directly to your desktop.

Glossary of Terms

Definitions of common antivirus terminology.

More Virus Info

For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)

Legal notices | Privacy policy | FRISK Software International © 1993-2010. All rights reserved.

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is 00a@eircom.net 0maaahonyy@eircom.net 950@eircom.net af@eircom.net am@eircom.net ar@eircom.net as@eircom.net b1@eircom.net boss3@eircom.net ceih@eircom.net cera@eircom.net chxe@eircom.net cs@eircom.net cydw@eircom.net d71@eircom.net dpfy@eircom.net dzuv@eircom.net ehpa@eircom.net epin@eircom.net f1@eircom.net fa@eircom.net fdld@eircom.net fdnv@eircom.net gacg@eircom.net gafj@eircom.net gc@eircom.net gz@eircom.net ha@eircom.net he@eircom.net ia@eircom.net ja@eircom.net k2@eircom.net lleahy6@eircom.net m1@eircom.net no@eircom.net pb@eircom.net qq@eircom.net r6oo@eircom.net ra@eircom.net s2@eircom.net t2@eircom.net ua@eircom.net va@eircom.net vb@eircom.net w2@eircom.net ww2@eircom.net xxxkiss@eircom.net y1@eircom.net ya@eircom.net zz@eircom.net