Weekly Report on Viruses and Intruders – Mitglieder Trojan (FK, FL, FN and FM) and Bagle.FN Worm
According to data from Panda ActiveScan, Panda Software’s online antivirus solution, the four variants of Mitglieder mentioned above have been the most frequently detected threats around the world. The first variant to appear -FK-, is spread in emails with a blank subject and with a message text including words such as “Texte” or “Info”. The emails include a .ZIP attachment with a variable name (Health_and_knowledge, Txt_sms, Max, Business, The_new_price, Info_prices or Business_dealing). This file includes an .EXE file, which installs Mitglieder.FK on the computer when it is run.
The FK, FL and FN variants of Mitglieder share the following characteristics:
– Once installed on a computer, and using a PHP script, they try to download a file from different web pages. Once downloaded, they save it -using a random number as the name- in the subfolder EXEFLD of the Windows directory, and then they run it.
– They create the HLOADER_EXE.EXE file, a copy of the Trojan itself, which in turn generates the HLEADER_DLL.DLL file the next time the computer is started up. The latter is injected in the EXPLORER.EXE process and is responsible for carrying out the Trojan’s actions.
The action that the FM variant of Migtlieder takes on the computers it infects includes:
– Preventing access to certain web pages, in particular those belonging to antivirus companies.
– Disabling system services related to several antivirus and security products.
– Deleting Windows registry editing tools.
Finally in today’s report we will look at Bagle.FN, a worm that sends a copy of the Mitglieder.FK Trojan to all addresses it collects from the compromised computer.
Bagle.FN spreads in an email message that tries to trick users into believing that the message attachment is a computer program, images, etc. It also spreads via Internet, attacking IP addresses -obtained at random or from the infected computer’s network-, exploiting a vulnerability or through an open port.
Bagle.FN tries to download several files from different websites in order to run them on the computer, and deletes Windows registry entries associated with other malware specimens