Content
PWS-LegMir.gen.k
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 01/30/2008
- Length
- varies
- Minimum DAT
- 5219 (01/30/2008)
- Updated DAT
- 5285 (04/30/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 01/30/2008
- Description Modified
- 02/27/2008 9:55 PM (PT)
Tab Navigation
Characteristics
PWS-LegMir.gen.k drops PWS-LegMir.gen.k.dll which steals passwords from multiple games. It will spread using autorun.inf in the root folder of available drives in the system and download updates of itself.
The following files are dropped:
- %DRIVELETTER%\h2.com
- %DRIVELETTER%\autorun.inf
- %TEMPDIR%\ee2m.dll
- %SYSTEM%\kavo.exe
- %SYSTEM%\kavo0.dll
The following files are downloaded to update itself:
- http://www.1a123.com/[removed]zz.rar
- http://www.1a123.com/[removed]zz.exe
The following registry entries are modified:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Control\*NewlyCreated*: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Control\ActiveService: "jhyuiopewf"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Service: "jhyuiopewf"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Legacy: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\ConfigFlags: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Class: "LegacyDriver"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\DeviceDesc: "jhyuiopewf"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\NextInstance: 0x00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kava: "C:\WINDOWS\system32\kavo.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000166
(where %DRIVELETTER% is a drive e.g. C:\,
%TEMPDIR% is the user temporary directory e.g. C:\Documents and Settings\username\Local Settings\Temp,
%SYSTEM% is the Windows system folder e.g C:\WINDOWS\system32)
Symptoms
- Presence of previously mentioned file.
- Presence of previously mentioned registry entries.
- Presence of unexpected network connection to previously mentioned URL.
Method of Infection
It spreads using autorun.inf files.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
PWS-LegMir.gen.k drops PWS-LegMir.gen.k.dll which steals passwords from multiple games. It will spread using autorun.inf in the root folder of available drives in the system and download updates of itself.
Characteristics
Characteristics -
PWS-LegMir.gen.k drops PWS-LegMir.gen.k.dll which steals passwords from multiple games. It will spread using autorun.inf in the root folder of available drives in the system and download updates of itself.
The following files are dropped:
- %DRIVELETTER%\h2.com
- %DRIVELETTER%\autorun.inf
- %TEMPDIR%\ee2m.dll
- %SYSTEM%\kavo.exe
- %SYSTEM%\kavo0.dll
The following files are downloaded to update itself:
- http://www.1a123.com/[removed]zz.rar
- http://www.1a123.com/[removed]zz.exe
The following registry entries are modified:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Control\*NewlyCreated*: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Control\ActiveService: "jhyuiopewf"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Service: "jhyuiopewf"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Legacy: 0x00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\ConfigFlags: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\Class: "LegacyDriver"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\0000\DeviceDesc: "jhyuiopewf"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JHYUIOPEWF\NextInstance: 0x00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kava: "C:\WINDOWS\system32\kavo.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000166
(where %DRIVELETTER% is a drive e.g. C:\,
%TEMPDIR% is the user temporary directory e.g. C:\Documents and Settings\username\Local Settings\Temp,
%SYSTEM% is the Windows system folder e.g C:\WINDOWS\system32)
Symptoms
Symptoms -
- Presence of previously mentioned file.
- Presence of previously mentioned registry entries.
- Presence of unexpected network connection to previously mentioned URL.
Method of Infection
Method of Infection -
It spreads using autorun.inf files.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
