W32/Mitglieder.GI!tr

Analysis

This Trojan is only a minor variant of its previous version. This Trojan may be received in an email message as an attachment, and possibly within a .ZIP file.

c:\WINNT\system32\anti_troj.exe

If the Trojan is run, it may display a graphic image file that is stored in the System32 folder named "ntimage.gif" - displaying this image is a distraction. The Trojan then registers itself to run at Windows startup via a registry key modification -

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"anti_troj" = C:\WINNT\System32\anti_troj.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"anti_troj" = C:\WINNT\System32\anti_troj.exe

After the Trojan loads on restart of Windows, it attempts to connect to hard-coded web sites and retrieve a file named "z.php". Below is a list of sites the Trojan will try to contact (these sites were very likely compromised by the malware author) -

202.44.52.38
209.126.128.203
25kadr.org
65.108.195.73
757555.ru
80.146.233.41
abtechsafety.com
abtechsafety.com
acentrum.pl
adavenue.net
adoptionscanada.ca
adventecgroup.com
agenciaspublicidadinternet.com
ahava.cafe24.com
aibsnlea.org
aikidan.com
ala-bg.net
alevibirligi.ch
alfaclassic.sk
allanconi.it
allinfo.com.au
americasenergyco.com
amerykaameryka.com
amistra.com
analisisyconsultoria.com
calamarco.com
ccooaytomadrid.org
charlies-truckerpage.de
drinkwater.ru
eleceltek.com
furdoszoba.info
kepter.kz
mijusungdo.net
oklens.co.jp
phrmg.org
s89.tku.edu.tw
sacafterdark.net
template.nease.net
tkdami.net
virt33.kei.pl
www.8ingatlan.hu
www.a2zhostings.com
www.abavitis.hu
www.adamant-np.ru
www.agroturystyka.artneo.pl
www.americarising.com
www.barth.serwery.pl
www.bmswijndepot.com
www.etwas-mode.de
www.leap.co.il
www.timecontrol.com.pl
www.ubu.pl

Recommended Action

FortiGate systems:

• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option