Summary of W32/Mitglieder.HT
||3 Mar 2006
||3 Mar 2006
|W32/Mitglieder.HT is a downloader Trojan and is therefore incapable of spreading on its own. It modifies the registry to make sure it's run at startup and then runs in an endless loop, trying to download files from multiple Internet addresses. If it manages to download any of these files, they are executed. It tries to make its removal more difficult by attempting to kill any antivirus-related processes, disable their services, delete their files and make their websites inaccessible.|
|When first run W32/Mitglieder.HT opens a file-choosing dialog and asks the user:|
"Select file to crack"
If a file is selected, the following error message is displayed:
"Incorrect file version"
In any case, it drops the files ldr64.dll and mloader32.dll into the system folder %WINDIR%\system32 and a random named file into the %TEMP% folder (all also detected as W32/Mitglieder.HT). It creates the registry keys:
and adds some values to them in order for the files ldr64.dll and mloader32.dll to be executed at startup.
At next startup the files ldr64.dll and mloader32.dll are executed in the namespace of winlogon.exe.
ldr64.dll tries to download the file 444.jpg from several Internet addresses and if successful the downloaded file is executed.
mloader32.dll tries to kill antivirus-related processes, disable their services, delete their files and make their websites inaccessible. However, this file has been reported to cause error in winlogon. If this happens the computer reboots.
|Removal Instructions||For general removal instructions please click here.|