McAfee > Theat Center > Virus Detail Page

Overview

This detection is generic, and is intended to cover many similar password-stealing trojans targeting the game "Legend of Mir".
It includes trojans written in multiple high level languages including Microsoft VC, Microsoft VB and Delphi.

Users are recommended to use the latest engine/DATs combination for optimal detection, and ensure the scanning of compressed files is enabled.

Aliases:

• Trojan-PSW.Win32.Lmir.azv  (Kaspersky)
• Trojan.PWS.Legmir.531  (Doctor Web)
• W32/Legmir.UK!tr  (Fortinet)
• Trj/Legmir.AAS  (Panda)
• TSPY_LEGMIR.UK  (Trend)

Characteristics

These password stealing trojans are typically designed to steal information for the "Legend of Mir" game if it is installed on the victim machine, as well as passwords from various different sources. It e-mails this information to the trojan author at various email addresses.  Since there are many variants of this trojan, this description is a general guide.

Upon execution, the trojan installs itself on the victim machine, typically in %WinDir% or %SysDir% , using varying filenames.

They may also add registry entries for running at system startup, for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs" = [path to the dll]

It injects itself into running processes and attempts to kill popular security related processes, like

• tcpview.exe
• sniffer.exe
• cports.exe
• ethereal.exe
• icesword.exe  etc.

The trojan searches the infected system for password information of game "Legend of Mir" and transmits it back to the author typically via http or email.

Symptoms

Exact symptoms will vary between variants. However, the presence of unexpected files in %WinDir% or %SysDir%, coupled with Registry hooks pointing to them is a typical suggestion of some torjan installation (Note: some legitimate files will also be started via Registry hooks).

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

N/A

All Information

Overview -

This detection is generic, and is intended to cover many similar password-stealing trojans targeting the game "Legend of Mir".
It includes trojans written in multiple high level languages including Microsoft VC, Microsoft VB and Delphi.

Users are recommended to use the latest engine/DATs combination for optimal detection, and ensure the scanning of compressed files is enabled.

Aliases:

• Trojan-PSW.Win32.Lmir.azv  (Kaspersky)
• Trojan.PWS.Legmir.531  (Doctor Web)
• W32/Legmir.UK!tr  (Fortinet)
• Trj/Legmir.AAS  (Panda)
• TSPY_LEGMIR.UK  (Trend)

Characteristics

Characteristics -

These password stealing trojans are typically designed to steal information for the "Legend of Mir" game if it is installed on the victim machine, as well as passwords from various different sources. It e-mails this information to the trojan author at various email addresses.  Since there are many variants of this trojan, this description is a general guide.

Upon execution, the trojan installs itself on the victim machine, typically in %WinDir% or %SysDir% , using varying filenames.

They may also add registry entries for running at system startup, for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs" = [path to the dll]

It injects itself into running processes and attempts to kill popular security related processes, like

• tcpview.exe
• sniffer.exe
• cports.exe
• ethereal.exe
• icesword.exe  etc.

The trojan searches the infected system for password information of game "Legend of Mir" and transmits it back to the author typically via http or email.

Symptoms

Symptoms -

Exact symptoms will vary between variants. However, the presence of unexpected files in %WinDir% or %SysDir%, coupled with Registry hooks pointing to them is a typical suggestion of some torjan installation (Note: some legitimate files will also be started via Registry hooks).

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

N/A