McAfee > Theat Center > Virus Detail Page

Overview

This detection is generic, and is intended to cover many similar password-stealing trojans targeting the game "Legend of Mir".
It includes trojans written in multiple high level languages including Microsoft VC, Microsoft VB and Delphi.

Users are recommended to use the latest engine/DATs combination for optimal detection, and ensure the scanning of compressed files is enabled.

Aliases:

• Trojan-PSW.Win32.Lmir.azv  (Kaspersky)
• Trojan.PWS.Legmir.531  (Doctor Web)
• W32/Legmir.UK!tr  (Fortinet)
• Trj/Legmir.AAS  (Panda)
• TSPY_LEGMIR.UK  (Trend)

Characteristics

These password stealing trojans are typically designed to steal information for the "Legend of Mir" game if it is installed on the victim machine, as well as passwords from various different sources. It e-mails this information to the trojan author at various email addresses.  Since there are many variants of this trojan, this description is a general guide.

Upon execution, the trojan installs itself on the victim machine, typically in %WinDir% or %SysDir% , using varying filenames.

They may also add registry entries for running at system startup, for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs" = [path to the dll]

It injects itself into running processes and attempts to kill popular security related processes, like

• tcpview.exe
• sniffer.exe
• cports.exe
• ethereal.exe
• icesword.exe  etc.

The trojan searches the infected system for password information of game "Legend of Mir" and transmits it back to the author typically via http or email.

Symptoms

Exact symptoms will vary between variants. However, the presence of unexpected files in %WinDir% or %SysDir%, coupled with Registry hooks pointing to them is a typical suggestion of some torjan installation (Note: some legitimate files will also be started via Registry hooks).

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection is generic, and is intended to cover many similar password-stealing trojans targeting the game "Legend of Mir".
It includes trojans written in multiple high level languages including Microsoft VC, Microsoft VB and Delphi.

Users are recommended to use the latest engine/DATs combination for optimal detection, and ensure the scanning of compressed files is enabled.

Aliases:

• Trojan-PSW.Win32.Lmir.azv  (Kaspersky)
• Trojan.PWS.Legmir.531  (Doctor Web)
• W32/Legmir.UK!tr  (Fortinet)
• Trj/Legmir.AAS  (Panda)
• TSPY_LEGMIR.UK  (Trend)

Characteristics

Characteristics -

These password stealing trojans are typically designed to steal information for the "Legend of Mir" game if it is installed on the victim machine, as well as passwords from various different sources. It e-mails this information to the trojan author at various email addresses.  Since there are many variants of this trojan, this description is a general guide.

Upon execution, the trojan installs itself on the victim machine, typically in %WinDir% or %SysDir% , using varying filenames.

They may also add registry entries for running at system startup, for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs" = [path to the dll]

It injects itself into running processes and attempts to kill popular security related processes, like

• tcpview.exe
• sniffer.exe
• cports.exe
• ethereal.exe
• icesword.exe  etc.

The trojan searches the infected system for password information of game "Legend of Mir" and transmits it back to the author typically via http or email.

Symptoms

Symptoms -

Exact symptoms will vary between variants. However, the presence of unexpected files in %WinDir% or %SysDir%, coupled with Registry hooks pointing to them is a typical suggestion of some torjan installation (Note: some legitimate files will also be started via Registry hooks).

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A