Virus

W32/Mitglieder.HW!tr

Analysis

This variant is a minor variant of Bagle.EJ and is packed with a file size in excess of 139,775 bytes.

Upon running the file, a dialogue screen is displayed requesting the user to browse to a file for "cracking", as if the program was a shareware application cracker. Depending on a file chosen for the "cracker" to crack, an error dialogue is displayed like this -

Meanwhile, the virus writes a .DLL file into the System32 folder named "ldr64.dll". It is packed with a file size of 134,656 bytes. Thsi DLL is identified as "W32/Mitglieder.HW!tr" by FortiClient and current AV db.

This DLL file loads at the next Windows restart via some registry modifications -

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64
"Asynchronous" = 01, 00, 00, 00
"DllName" = ldr64.dll
"Impersonate" = 00, 00, 00, 00
"LdCount" = 00, 00, 00, 00
"prevt" = 00, 00, 00, 00
"Startup" = Startup

When Windows restarts, ldr64.dll is loaded into memory as an assisting DLL with WINLOGON.EXE. The loaded DLL is coded to connect to various websites in an attempt to download binary files named either "666.jpg" or "666.php".

If the file is retrieved, it is renamed to either "edlm.exe" or "edlm2.exe" and run as an executable. As of the time of this writing, none of the servers were hosting the files requested by the virus.

Recommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

  • FortiClient systems:

  • Quarantine/Delete infected files detected