Panda issued a code orange warning for this virus.
Mitglieder.GB attempts to
download a file from the following web pages every four hours, by means of a PHP
script:
http://202.4<blocked>.38
http://209.1<blocked>8.203
http://25<blocked>dr.org
http://65.1<blocked>95.73
http://75<blocked>55.ru
http://80.14<blocked>3.41
http://abte<blocked>fety.com
http://ace<blocked>rum.pl
http://ada<blocked>nue.net
http://adop<blocked>nada.ca
http://adv<blocked>cgroup.com
http://agenc
blocked>dinternet.com
http://aha<blocked>afe24.com
http://aib<blocked>ea.org
http://aik<blocked>an.com
http://al<blocked>bg.net
http://ale<blocked>rligi.ch
http://alfa<blocked>ssic.sk
http://all<blocked>oni.it
http://all
blocked>.com.au
http://amer<blocked>ergyco.com
http://ame<blocked>meryka.com
http://am<blocked>ra.com
http://anal
blocked>sultoria.com
http://av2<blocked>.comex.ru
http://cal<blocked>rco.com
http://cco <blocked>omadrid.org
http://charl <blocked>ckerpage.de
http://drin<blocked>ter.ru
http://ele<blocked>ltek.com
http://furd<blocked>oba.info
http://ke<blocked>er.kz
http://mij<blocked>gdo.net
http://ok<blocked>ns.co.jp
http://ph<blocked>g.org
http://s8<blocked>u.edu.tw
http://saca<blocked>dark.net
http://tem<blocked>e.nease.net
http://tk<blocked>mi.net
http://vir<blocked>3.kei.pl
http://www.8
blocked>tlan.hu
http://www.a2<blocked>tings.com
http://www.aba<blocked>tis.hu
http://www.ad<blocked>nt-np.ru
http://www.agro<blocked>styka.artneo.pl
http://www.ame<blocked>rising.com
http://www.bar<blocked>rwery.pl
http://www.bm<blocked>depot.com
http://www.etw<blocked>ode.de
http://www.le<blocked>.co.il
http://www.rew<blocked>st.com
http://www.tim<blocked>trol.com.pl
http://www.u<blocked>u.pl
Once downloaded,
Mitglieder.GB saves it with a name consisting in a random number, in the subfolder EXEFLD of the Windows directory, and then, runs it.
Infection strategy
Mitglieder.GB creates the file ANTI_TROJ.EXE in the Windows system directory. This file is a copy of the Trojan.
Mitglieder.GB creates the following entries in the Windows Registry:- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
anti_troj = %sysdir%\ anti_troj.exe
- HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
anti_troj = %sysdir%\ anti_troj.exe
where %sysdir% is the Windows system directory.
By creating these entries, Mitglieder.GB ensures that it is run whenever Windows is started.
- HKEY_CURRENT_USER\ Software\ FirstRRRun
It creates this entry as infection mark, in order to check if Mitglieder.GB has previously affected the computer.
Means of transmission
Mitglieder.GB has been massively sent in an email message with the following characteristics:- Subject: it can be any of the following, among others:
Roberte
Sydney
Rebecka
Daniel
- Message: it can be any of the following, among others:
FOTO-2
FOTO-4
VIP-foto
Foto land
- Attached files:
A file with a random name and a ZIP extension.
Further Details
Mitglieder.GB is written in the programming languagebytes in size, and it is compressed. Visual C++ v6. This file is between 9,275 and 9,760
To remove the virus go
here
Bram
PC Help Forum
» Security & Safety
» Security Watch
»
Mitglieder.GB is spreading fast
Mitglieder.GB is spreading fast
Linear Mode
