Trojan.Mitglieder.C

Printer Friendly Page

Discovered: January 18, 2004
Updated: January 20, 2004 3:55:17 PM
Systems Affected: Windows

Trojan.Mitglieder.C is a trojan program that allows a compromised system to be used as an email relay. Systems compromised in this way are often used to relay spam.

Discovered: January 18, 2004
Updated: January 20, 2004 3:55:17 PM
Systems Affected: Windows

Trojan.Mitglieder.C allows a compromised system to be used as an email relay. When it is executed, it creates the following copy of itself:
%System%\System.exe

The following registry entry is created so that it executes every time Windows starts:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ssgrate.exe" = "%System%\system.exe"

Additionally, the following values are created containing the trojan's configuration settings:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DateTime\"pid"= <Process ID>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DateTime\"uid"= <Random value>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DateTime\"port"=<Listening Proxy Port>

The trojan then creates a thread 15 websites and opens a PHP page on one of those sites using certain parameters. The parameters include the IP address of the system, the port used for proxying, and the trojan's ID. The following websites are contacted:
www.block-investment.de
www.gasterixx.de
www.deadlygames.de
www.o-problemo.de
www.tv87.de
www.ranknet.de
www.remix-world.de
www.joerrens.de
www.bbszene.de
www.nikofor.com
www.dyna-maik.de
www.werk3.de
www.gebr-wachs.de
www.rgs-rostock.de
www.lords-of-havoc.de

Next, the trojan creates a thread that terminates any of the following processes:
Atupdater.exe
Atupdater.exe
Aupdate.exe
Autodown.exe
Autotrace.exe
Autoupdate.exe
Avpupd.exe
Avwupd32.exe
Avxquar.exe
Cfiaudit.exe
Drwebupw.exe
Icssuppnt.exe
Icsupp95.exe
Luall.exe
Mcupdate.exe
Nupgrade.exe
Nupgrade.exe
Update.exe

Finally, the trojan attempts to download a password-stealing trojan from one of 3 websites hard coded into its body. This trojan is a minor variant of PWSteal.Ldpinch (MCID 2176). As of this writing, the trojan is no longer available for download from the websites. The websites the trojan attempts to connect to are:
www.rgs-rostock.de
www.gebr-wachs.de
www.lords-of-havoc.de

Once the trojan is running, it allows remote users to relay email through a preconfigured port. This port will be 39999 by default.