When first run W32/Mitglieder.TI opens Notepad with a blank document.
It copies itself to %SYSDIR%\hldrrr.exe.
Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
- Windows 95/98/Me - C:\Windows\System
- Windows NT/2000 - C:\Winnt\System32
- Windows XP - C:\Windows\System32
It adds the value:
"hldrrr" = "C:\\WINNT\\system32\\hldrrr.exe"
to the keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run]
to make sure it's executed at startup.
It creates the key:
[HKEY_CURRENT_USERS\Software\FirstRRRun]
and adds the value:
"FirstRRRun" = 1
to it as an infection marker.
It runs in an endless loop checking if the infected computer is connected to the Internet and if so, tries to download files named nul.php from multiple URLs. It creates the directory %WINDIR%\exefld if it doesn't exist and tries to download these files there under a random name. If it manages to download any, they are executed.
| 