FRISK Software International


Summary of W32/Mitglieder.TI
Discovered: 16 Jun 2006
Definition files: 16 Jun 2006
Risk Level: Medium
Distribution:Medium
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Mitglieder.TI is a downloader Trojan. It modifies the registry to make sure it's run at startup and runs in an endless loop, trying to download files from multiple Internet addresses. If it manages to download any of these files, they are executed.


Technical Description
When first run W32/Mitglieder.TI opens Notepad with a blank document.

It copies itself to %SYSDIR%\hldrrr.exe.

Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
  • Windows 95/98/Me - C:\Windows\System
  • Windows NT/2000 - C:\Winnt\System32
  • Windows XP - C:\Windows\System32

It adds the value:

"hldrrr" = "C:\\WINNT\\system32\\hldrrr.exe"

to the keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run]

to make sure it's executed at startup.

It creates the key:

[HKEY_CURRENT_USERS\Software\FirstRRRun]

and adds the value:

"FirstRRRun" = 1

to it as an infection marker.

It runs in an endless loop checking if the infected computer is connected to the Internet and if so, tries to download files named nul.php from multiple URLs. It creates the directory %WINDIR%\exefld if it doesn't exist and tries to download these files there under a random name. If it manages to download any, they are executed.


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is