You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Mitglieder.FK

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Mitglieder.FK attempts to download a file from the following web pages every four hours, by means of a PHP script:

http://1st<blocked>orleans-hotels.com
http://202<blocked>2.38
http://209<blocked>128.203
http://25k<blocked>rg
http://65.<blocked>95.73
http://757<blocked>.ru
http://80.<blocked>33.41
http://abt<blocked>fety.com
http://ace<blocked>m.pl
http://ada<blocked>.net
http://ado<blocked>scanada.ca
http://adv<blocked>group.com
http://afr<blocked>ours.de
http://age<blocked>publicidadinternet.com
http://aha<blocked>fe24.com
http://aib<blocked>.org
http://aik<blocked>com
http://ala<blocked>.net
http://ale<blocked>ligi.ch
http://alf<blocked>sic.sk
http://all<blocked>i.it
http://all<blocked>com.au
http://ame<blocked>energyco.com
http://ame<blocked>meryka.com
http://ami<blocked>com
http://ana<blocked>yconsultoria.com
http://av2<blocked>omex.ru
http://cal<blocked>o.com
http://cco<blocked>madrid.org
http://cha<blocked>-truckerpage.de
http://dri<blocked>er.ru
http://ele<blocked>k.com
http://fur<blocked>ba.info
http://hom<blocked>0km.ru
http://kep<blocked>r.kz
http://lif<blocked>ks.de
http://mij<blocked>do.net
http://okl<blocked>o.jp
http://phr<blocked>.org
http://s89<blocked>edu.tw
http://sac<blocked>dark.net
http://sar<blocked>a.ru
http://tem<blocked>.nease.net
http://tkd<blocked>.net
http://vir<blocked>.kei.pl
http://wun<blocked>lampe.com
http://www.8in<blocked>lan.hu
http://www.a2z<blocked>tings.com
http://www.aba<blocked>tis.hu
http://www.ada<blocked>t-np.ru
http://www.agro<blocked>tyka.artneo.pl
http://www.ame<blocked>ising.com
http://www.aro<blocked>.com
http://www.bar<blocked>rwery.pl
http://www.bms<blocked>epot.com
http://www.etw<blocked>de.de
http://www.lea<blocked>co.il
http://www.OTT<blocked>IDE.de
http://www.rew<blocked>st.com
http://www.sta<blocked>kowalczyk.netstrefa.com
http://www.tim<blocked>ol.com.pl
http://www.ub<blocked>pl

Once downloaded, Mitglieder.FK saves it with a name consisting in a random number, in the subfolder EXEFLD of the Windows directory, and then, runs it.

Infection strategy 

Mitglieder.FK creates the following files in the Windows system directory:

  • HLOADER_EXE.EXE, which is a copy of the Trojan. It drops the file mentioned below when the computer is restarted.
  • HLEADER_DLL.DLL, which is 5,632 bytes in size. This file is a DLL (Dynamic Link Library) that is injected in the process EXPLORER.EXE, and carries out the actions performed by Mitglieder.FK.

 

Mitglieder.FK creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Auto__hloader__key = %sysdir%\ hloader_exe.exe
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Auto__hloader__key = %sysdir%\ hloader_exe.exe
    where %sysdir% is the Windows system directory.
    By creating these entries, Mitglieder.FK ensures that it is run whenever Windows is started.

Means of transmission 

Mitglieder.FK reaches the computer sent via email by the worm detected as Bagle.FN in a message with any of the following attached files:

  • BUSINESS.ZIP
  • BUSINESS_DEALING.ZIP
  • HEALTH_AND_KNOWLEDGE.ZIP
  • INFO_PRICES.ZIP
  • MAX.ZIP
  • TEXT_SMS.ZIP
  • THE_NEW_PRICES.ZIP

Further Details  

Mitglieder.FK is written in the programming language Visual C++ v6.0. This Trojan is 9,728 bytes in size.