Virus

W32/Mitglieder.FY!tr

Analysis

This Trojan may be received in an email message as an attachment. If it is run, it will install itself locally to the System32 folder as two files -

c:\WINNT\system32\hleader_dll.dll
c:\WINNT\system32\hloader_exe.exe

The Trojan then registers itself to run at Windows startup via a registry key modification -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"auto__hloader__key" = C:\WINNT\System32\hloader_exe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"auto__hloader__key"=C:\WINNT\System32\hloader_exe.exe

The Trojan waits for the system to restart or for another user to log off and back on before attempting to perform any actions. After the Trojan loads on restart of Windows, it loads the .DLL component into the Web browser Internet Explorer (iexplore.exe) memory space to help avoid detection by process monitors and other debugging tools.

The .DLL component (hleader_dll.dll) serves as a database of web links the Trojan will use to retrieve binary files. At the time of this writing, no web-hosted files were available for download. This could change at any future time.

Recommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option