Upon execution W32/Mitglieder.UZ creates the file the text file C:\error.txt and opens it notepad. The file contains the following text:
Text decoding error.
Creates the folder in %APPDATA% named hidn and copies itself there as hldrrr.exe and hidn2.exe
Adds the value:
"drv_st_key" = "%APPDATA%\hidn\hidn2.exe"
to the registry key:
[CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Harvests e-mail addresses from all files on the infected computer having one of the following extensions:
wab
txt
msg
htm
shtm
stm
xml
dbx
mbx
mdx
eml
nch
mmf
ods
cfg
asp
php
pl
wsh
adb
tbb
sht
xls
oft
uin
cgi
mht
dhtm
jsp
E-mails attaches a zipped copy of itself to e-mails it sends to the harvested e-mail addresses. The zip archive is named one of the following:
price_<Date>.zip
price-<Date>.zip
price<Date>.zip
new_price<Date>.zip
latest_price<Date>.zip
where <Date> is the date it was sent.
It tries to download and execute additional code and updates itself from the Internet.
| 