Description Published: Monday, March 06, 2006
Description Modified: Wednesday, March 08, 2006
Characteristics
| Type: Trojan |
| Category: Win32 |
| Also known as Win32.Glieder.DE, Win32/Glieder.DG!Trojan, W32/Mitglieder.HT (F-Secure), Trojan-Dropper.Win32.Agent.akf (Kaspersky) |
|
|
| Win32/Glieder.DE is a trojan that downloads and executes arbitrary files from a long, hardcoded list of particular URLs. It has been distributed inside ZIP files via the eMule P2P network. | |
| When executed, Win32/Glieder.DE creates a 12,288 byte file in the %Temp% directory using a generated temporary filename. For example:
%Temp%\_ex1.tmp.exe
Win32/Glieder.DE also creates a bogus dialog box, prompting the user to 'Select a file to crack':
If the user selects an 'exe' file a message box is displayed.
When the file dropped to the %Temp% directory is executed, it drops and loads the following file:
%System%\ldr64.dll (size: 7,680 bytes)
It makes the following modifications to the registry to install "ldr64.dll" as a Winlogon Notification Package:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64\Impersonate = 0x0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64\Asynchronous = 0x1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64\DllName = "ldr64.dll"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64\Startup = "Startup"
Notes:
'%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
%Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is "C:\Documents and Settings\<username>\Local Settings\Temp", or "C:\WINDOWS\TEMP". | |
|
|
Downloads and Executes Arbitrary Files
Glieder.DE attempts to download from a list of URLs from the following domains, pausing for one hour between each attempt. If successful, it attempts to save the downloaded file to either %System%\edlm.exe or %System%\edlm2.exe and execute it.
ala-bg.net
alevibirligi.ch
alfaclassic.sk
allanconi.it
allinfo.com.au
americasenergyco.com
amerykaameryka.com
amistra.com
analisisyconsultoria.com
calamarco.com
eleceltek.com
www.americarising.com
www.bbrealservis.sk
www.befag.ru
www.benininfo.com
www.bennylife.com
www.bestcheapdomainregistration.info
www.bidsforbaby.com
www.binhaigolf.com
www.biotenk.com
www.bitsolution.ro
www.boldrussell.com
www.bronko-m.ru
www.bulkemaildirectmarketing.com
www.bulkemailservicenow.com
www.calidad.biz
www.cansew.ca
www.cansultdubai.ae
www.casaquecanta.com
www.casino-malibu.ru
www.chilotitomarino.cl
www.chinaculturedpearl.com
www.colin18.com
www.connectesl.com
www.khonkaenpoc.com
www.nmtltd.com
www.vnettools.com | |
|
|
| Glieder.DE use the following registry keys to store information pertaining to the outcome and timing of attempted downloads:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64\LdCount
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64\prevt | |