McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update September 5th, 2006 --

Recent variants of this threat were found to be installing NTRootKit-U and injecting code into svchost.exe. These variants may also download further malware which are being detected as PWS-LegMir. One or more of the following file(s) are installed:

• %Windir%\System32\ravadm.exe (PWS-Lineage)
• %Windir%\System32\wdm.exe (PWS-Lineage)
• %Windir%\System32\ravld.sys (NTRootKit-U)
• %Windir%\System32\ksld.sys (NTRootKit-U)

These variants may contact following domain(s) to download further malware:

• 13511.com

They may also be capable of stealing passwords from multiple games and applications including "QQ Games" and "Legend of Mir".

-----

This trojan steals the account information for the game called "Lineage II" from the victim's machine. There are several variants of the trojan. The description is a general guide. Newer variants require the latest DAT files for detection and cleaning.

When run, it drops itself to the Windows system directory, typically “C:\WINDOWS\System32”.

It also drops the dll under the same directory. This dll is used for monitoring the keystrokes and the mouse movements. The dll is detected as "PWS-Lineage.dll".

It also adds the registry entry under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run

Then this trojan monitors the user's activity to logon the game called "Lineage II" and steals accounts information. It also sends the information to the author via http or smtp.

Symptoms

• Unexpected http or smtp access

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update September 5th, 2006 --

Recent variants of this threat were found to be installing NTRootKit-U and injecting code into svchost.exe. These variants may also download further malware which are being detected as PWS-LegMir. One or more of the following file(s) are installed:

• %Windir%\System32\ravadm.exe (PWS-Lineage)
• %Windir%\System32\wdm.exe (PWS-Lineage)
• %Windir%\System32\ravld.sys (NTRootKit-U)
• %Windir%\System32\ksld.sys (NTRootKit-U)

These variants may contact following domain(s) to download further malware:

• 13511.com

They may also be capable of stealing passwords from multiple games and applications including "QQ Games" and "Legend of Mir".

-----

This trojan steals the account information for the game called "Lineage II" from the victim's machine. There are several variants of the trojan. The description is a general guide. Newer variants require the latest DAT files for detection and cleaning.

When run, it drops itself to the Windows system directory, typically “C:\WINDOWS\System32”.

It also drops the dll under the same directory. This dll is used for monitoring the keystrokes and the mouse movements. The dll is detected as "PWS-Lineage.dll".

It also adds the registry entry under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run

Then this trojan monitors the user's activity to logon the game called "Lineage II" and steals accounts information. It also sends the information to the author via http or smtp.

Symptoms

Symptoms -

• Unexpected http or smtp access

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A