Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Mitglied.gen

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload Disables security software, includes backdoor and downloader capability
Detection files published
Description created 13 Dec 2005 12:24:00
Description updated 13 Dec 2005 12:24:00
Malware type WORM
Alias Mitglied.gen
Spreading mechanism EMAIL
NETWORK
Summary None

W32/Mitglied.gen

Spreading

The Mitglieds are often spammed out in email attachments and are a common part of the Bagle email-worms. The email rely backdoor opened by the Mitglied might be used both for commercial spam and to distribute new variants of Mitglieds and Bagles.
When the Miglied is executed it will copy itself to the %SYSTEM% folder and register itself in the runkey "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" in the registry to be executed on windows startup. It might also modify/create the key "HKCR\exefile\shell\open\command" and set the value "default=%SYSTEM%\ -run "%1" %*"
Some Mitglieds also have the functionality to search for computers which have been infected with the "W32\MyDoom" worm, and if such a computer is found, the Mitglied will get copied over. These variants will also try to delete registry keys made by the MyDoom worm.
A selection of filenames used by Mitglied:
irun4.exe
window.exe
winhost.exe
winshost.exe
syswrun4x.exe
realupd.exe
wind.exe
windll32.exe
scvhost.exe
sysdoor.exe
windllsys32.exe
winudll.exe
winsystems.exe
runner.exe
system.exe
drwatson32.exe
antiav_exe.exe
anti_troj.exe
or a random value
A selection of runkey Values it might use are:
"sgrate.exe"
"ssgrate.exe"
"RealUpdater"
"windows.exe"
"dm_service"
"usrgtway.exe"
"Symantec NetDriver Monitor"
"auto__hloader__key"
"auto__antiav__key"
"WindowsDebug"
or the filename it copied itself to.

Payload Details

The Mitglieds are often spammed out in email attachments and are a common part of the Bagle email-worms. The email rely backdoor opened by the Mitglied might be used both for commercial spam and to distribute new variants of Mitglieds and Bagles.
When the Miglied is executed it will copy itself to the %SYSTEM% folder and register itself in the runkey "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" in the registry to be executed on windows startup. It might also modify/create the key "HKCR\exefile\shell\open\command" and set the value "default=%SYSTEM%\ -run "%1" %*"
Some Mitglieds also have the functionality to search for computers which have been infected with the "W32\MyDoom" worm, and if such a computer is found, the Mitglied will get copied over. These variants will also try to delete registry keys made by the MyDoom worm.
A selection of filenames used by Mitglied:
irun4.exe
window.exe
winhost.exe
winshost.exe
syswrun4x.exe
realupd.exe
wind.exe
windll32.exe
scvhost.exe
sysdoor.exe
windllsys32.exe
winudll.exe
winsystems.exe
runner.exe
system.exe
drwatson32.exe
antiav_exe.exe
anti_troj.exe
or a random value
A selection of runkey Values it might use are:
"sgrate.exe"
"ssgrate.exe"
"RealUpdater"
"windows.exe"
"dm_service"
"usrgtway.exe"
"Symantec NetDriver Monitor"
"auto__hloader__key"
"auto__antiav__key"
"WindowsDebug"
or the filename it copied itself to.

Analysis

n/a

Removal

Lumension currently detects several Mitglied variants.


Last Updated: 12 Nov 2015 11:06:11