McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

-- Update October 21, 2008 --

The 5410 DAT files that correct this issue have been released. 

-- Update October 20, 2008 --

The 5409 DAT files contain an incorrect identification on PWS-LegMir. McAfee Avert Labs have released DAT 5410  to correct this issue. The false detection is being seen on the following file:

• conime.exe - Windows Vista console IME (MD5: F96EBC5A624349D81DCC7600A3C5DC43)

Aliases

• PWS-LegMir.gen

• PWS-LegMir.gen.b

Characteristics

-- Update July 08, 2011 --

File Information -

• MD5 - 570B34C874D7C462DF4C9DBD01D0D3DA
• SHA - 4932C5DECD00AF3EB14979CB58D0A706FBF6B71C

Aliases -

• Kaspersky - Packed.Win32.Klone.bq
• NOD32 - a variant of Win32/AutoRun.PSW.OnlineGames.BL
• Symantec - Infostealer.Lineage
• Microsoft - PWS:Win32/Frethog.gen!H

Upon execution the Trojan injects itself with IExplore.exe and connects to the site bai[removed].com through a remote port 80.

When executed the Trojan copies itself into the following location.

• %Temp%\rbking.exe
• %SystemDrive%\eid39.exe

And drops following file.

• %Temp%\rbking0.dll

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

• [AutoRun]
• open=eid39.exe
• shell\open\Command=eid39.exe

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

The following registry value has been added.

• [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
  king_rb = "%Temp%\rbking.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following registry value has been modified.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
  CheckedValue = 0x00000001
  CheckedValue = 0x00000000
• [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  Hidden = 0x00000001
  Hidden = 0x00000002

The above registry entries have been added to hide the malware binary from the compromised user

[Note: %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

---------------------------------------

-- Update January 27, 2011 --

File Information

• MD5  -  1A58D82FE73FB4E9DE10FACB0EF22881
• SHA  - 71B949ACEBB15DA95057B3F9FBC1BE4CAC461B69

Aliases

• Kaspersky - Virus.Win32.VB.bu
• NOD32     - Win32/VB.NHZ
• Symantec   - Infostealer.Lineage
• Microsoft  - Virus:Win32/Bacalid.B

Upon execution the Trojan injects itself with IExplore.exe and connects to the site www.o[Removed]ev.com through a remote port 80.

When executed the Trojan copies itself into the following location:

• %Windir%\system32\explorer.exe

And drops following file:

• %Temp%\VGod.DLL

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

• AutoRun.inf
• [autorun]
• OPEN=EXPLORER.EXE
• shell\open=
• shell\open\Command=EXPLORER.EXE
• shell\open\Default=1
• shell\explore=
• shell\explore\Command=EXPLORER.EXE

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

The following registry value has been added.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\WINDOWS\explorer.exe: "EnableNXShowUI"

The below mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  “[Random_name]” = "userinit.exe,EXPLORER.EXE"

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-------------------------------------------------------------------------------------------

-- Update October 21, 2008 --

The 5410 DAT files that correct this issue have been released.

-- Update October 20, 2008 --

The 5409 DAT files contain an incorrect identification on PWS-LegMir. McAfee Avert Labs have released DAT 5410  to correct this issue. The false detection is being seen on the following file:

• conime.exe - Windows Vista console IME (MD5: F96EBC5A624349D81DCC7600A3C5DC43)

----

This detection is generic, and designed to cover many similar password-stealing trojans. This includes trojans written in multiple HLLs, including MSVC, MSVB and Delphi.

Users are recommended to use the latest engine/DATs combination for optimal detection, and ensure the scanning of compressed files is enabled.

These password stealing trojans are typically designed to steal passwords from various different sources, as well as information for the "Legend of Mir" game if it is has been installed on the victim machine. It mails this information to the trojan author at various email addresses.  Since there are many variants of this trojan, this description is a general guide.

When run, the trojan installs itself on the victim machine, typically in %WinDir% or %SysDir%, using varying filenames. For example:

C:\WINDOWS\SYSTEM\TASKMON.EXE

To hook system startup, a Registry key is added, pointing to the installed file(s). For example:

HKEY_CURRENT_USER\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\RunServices "TaskMontor" = C:\WINDOWS\SYSTEM\taskmon.exe

Symptoms

Exact symptoms will vary between variants. However, the presence of unexpected files in %WinDir% or %SysDir%, coupled with Registry hooks pointing to them is a typical suggestion of some torjan installation (Note: some legitimate files will be started via Registry hooks).

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

-- Update October 21, 2008 --

The 5410 DAT files that correct this issue have been released. 

-- Update October 20, 2008 --

The 5409 DAT files contain an incorrect identification on PWS-LegMir. McAfee Avert Labs have released DAT 5410  to correct this issue. The false detection is being seen on the following file:

• conime.exe - Windows Vista console IME (MD5: F96EBC5A624349D81DCC7600A3C5DC43)

Aliases

• PWS-LegMir.gen

• PWS-LegMir.gen.b

Characteristics

Characteristics -

-- Update July 08, 2011 --

File Information -

• MD5 - 570B34C874D7C462DF4C9DBD01D0D3DA
• SHA - 4932C5DECD00AF3EB14979CB58D0A706FBF6B71C

Aliases -

• Kaspersky - Packed.Win32.Klone.bq
• NOD32 - a variant of Win32/AutoRun.PSW.OnlineGames.BL
• Symantec - Infostealer.Lineage
• Microsoft - PWS:Win32/Frethog.gen!H

Upon execution the Trojan injects itself with IExplore.exe and connects to the site bai[removed].com through a remote port 80.

When executed the Trojan copies itself into the following location.

• %Temp%\rbking.exe
• %SystemDrive%\eid39.exe

And drops following file.

• %Temp%\rbking0.dll

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

• [AutoRun]
• open=eid39.exe
• shell\open\Command=eid39.exe

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

The following registry value has been added.

• [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
  king_rb = "%Temp%\rbking.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following registry value has been modified.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
  CheckedValue = 0x00000001
  CheckedValue = 0x00000000
• [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
  Hidden = 0x00000001
  Hidden = 0x00000002

The above registry entries have been added to hide the malware binary from the compromised user

[Note: %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

---------------------------------------

-- Update January 27, 2011 --

File Information

• MD5  -  1A58D82FE73FB4E9DE10FACB0EF22881
• SHA  - 71B949ACEBB15DA95057B3F9FBC1BE4CAC461B69

Aliases

• Kaspersky - Virus.Win32.VB.bu
• NOD32     - Win32/VB.NHZ
• Symantec   - Infostealer.Lineage
• Microsoft  - Virus:Win32/Bacalid.B

Upon execution the Trojan injects itself with IExplore.exe and connects to the site www.o[Removed]ev.com through a remote port 80.

When executed the Trojan copies itself into the following location:

• %Windir%\system32\explorer.exe

And drops following file:

• %Temp%\VGod.DLL

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

• AutoRun.inf
• [autorun]
• OPEN=EXPLORER.EXE
• shell\open=
• shell\open\Command=EXPLORER.EXE
• shell\open\Default=1
• shell\explore=
• shell\explore\Command=EXPLORER.EXE

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

The following registry value has been added.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\WINDOWS\explorer.exe: "EnableNXShowUI"

The below mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  “[Random_name]” = "userinit.exe,EXPLORER.EXE"

[%UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-------------------------------------------------------------------------------------------

-- Update October 21, 2008 --

The 5410 DAT files that correct this issue have been released.

-- Update October 20, 2008 --

The 5409 DAT files contain an incorrect identification on PWS-LegMir. McAfee Avert Labs have released DAT 5410  to correct this issue. The false detection is being seen on the following file:

• conime.exe - Windows Vista console IME (MD5: F96EBC5A624349D81DCC7600A3C5DC43)

----

This detection is generic, and designed to cover many similar password-stealing trojans. This includes trojans written in multiple HLLs, including MSVC, MSVB and Delphi.

Users are recommended to use the latest engine/DATs combination for optimal detection, and ensure the scanning of compressed files is enabled.

These password stealing trojans are typically designed to steal passwords from various different sources, as well as information for the "Legend of Mir" game if it is has been installed on the victim machine. It mails this information to the trojan author at various email addresses.  Since there are many variants of this trojan, this description is a general guide.

When run, the trojan installs itself on the victim machine, typically in %WinDir% or %SysDir%, using varying filenames. For example:

C:\WINDOWS\SYSTEM\TASKMON.EXE

To hook system startup, a Registry key is added, pointing to the installed file(s). For example:

HKEY_CURRENT_USER\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\RunServices "TaskMontor" = C:\WINDOWS\SYSTEM\taskmon.exe

Symptoms

Symptoms -

Exact symptoms will vary between variants. However, the presence of unexpected files in %WinDir% or %SysDir%, coupled with Registry hooks pointing to them is a typical suggestion of some torjan installation (Note: some legitimate files will be started via Registry hooks).

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

Variants

Variants -

N/A