FRISK Software International


Summary of W32/Mitglieder.HT
Discovered: 3 Mar 2006
Definition files: 3 Mar 2006
Risk Level: Medium
Distribution:Low
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Mitglieder.HT is a downloader Trojan and is therefore incapable of spreading on its own. It modifies the registry to make sure it's run at startup and then runs in an endless loop, trying to download files from multiple Internet addresses. If it manages to download any of these files, they are executed. It tries to make its removal more difficult by attempting to kill any antivirus-related processes, disable their services, delete their files and make their websites inaccessible.


Technical Description
When first run W32/Mitglieder.HT opens a file-choosing dialog and asks the user:

"Select file to crack"

If a file is selected, the following error message is displayed:

"Incorrect file version"

In any case, it drops the files ldr64.dll and mloader32.dll into the system folder %WINDIR%\system32 and a random named file into the %TEMP% folder (all also detected as W32/Mitglieder.HT). It creates the registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mloader32]

and adds some values to them in order for the files ldr64.dll and mloader32.dll to be executed at startup.

At next startup the files ldr64.dll and mloader32.dll are executed in the namespace of winlogon.exe.

ldr64.dll tries to download the file 444.jpg from several Internet addresses and if successful the downloaded file is executed.

mloader32.dll tries to kill antivirus-related processes, disable their services, delete their files and make their websites inaccessible. However, this file has been reported to cause error in winlogon. If this happens the computer reboots.


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is