Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/12/2012
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:9.056 Bytes
MD5 checksum:14c6230994fc57492f56182592cd255b
VDF version:

 General Aliases:
   •  Kaspersky: Trojan-Proxy.Win32.Mitglieder.dq
   •  VirusBuster: Trojan.DL.Agent.ST
   •  Bitdefender: Trojan.Proxy.Mitglieder.DQ

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

Side effects:
   • Drops a file
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %SYSDIR%\msnethlp32.exe
   • %SYSDIR%\msnethlp32.dll

The following file is created:


 Backdoor The following ports are opened:

%WINDIR%\explorer.exe on a random TCP port in order to provide a proxy server.
%WINDIR%\explorer.exe on a random TCP port in order to provide a proxy server.

Contact server:
One of the following:
   • www.manwithn**********
   • www.shivaspace**********
   • www.trymyg**********.com/cgi-bin/get.cgi

As a result it may send some information. This is done via the HTTP GET request on a CGI script.

Sends information about:
    • Internet connection type
    • Current malware status
    • Information about the network
    • Opened port
    • Platform ID
    • System time
    • Information about the Windows operating system

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG 1.3

Description inserted by Victor Tone on Monday, August 15, 2005
Description updated by Victor Tone on Friday, August 26, 2005

Back . . . .