Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/PSW.Lmir.53381
Date discovered:13/12/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:53.381 Bytes
MD5 checksum:377d336c659395f6faf9100b69eaa84a
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Sophos: Troj/LegMir-AV
   •  Bitdefender: Trojan.PSW.Lmir.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %SYSDIR%\logonuit.exe
   • %SYSDIR%\winl0gon.exe
   • %SYSDIR%\windows.exe

 Registry The following registry key is added in order to run the process after reboot:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • "windows update"="%SYSDIR%\logonuit.exe"



The following registry keys are changed:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Old value:
   • "Shell"=%user defined settings%
   New value:
   • "Shell"="Explorer.exe %SYSDIR%\windows.exe"

HKCR\txtfile\shell\open\command
   Old value:
   • @=%user defined settings%
   New value:
   • @="%SYSDIR%\winl0gon.exe %1"

 Process termination List of processes that are terminated:
   • Iparmor.exe
   • MAILMON.EXE
   • KAVPFW.EXE
   • PasswordGuard.exe

Processes with the following characteristics are terminated:
      Title: Symantec AntiVirus     Class name: KV2004
      Title: RavMon.exe     Class name: RavMonClass
      Title: %random character string%     Class name: Tapplication
      Title: %random character string%     Class name: TForm1
      Title: %random character string%     Class name: TfLockDownMain
      Title: %random character string%     Class name: ZAFrameWnd
      Title: %random character string%     Class name: KvXP_ExpertFrame
      Title: %random character string%     Class name: WHXMDI0
      Title: RegEdit_RegEdit     Class name: TKillqqv
      Title: %random character string%     Class name: TfrmMain

 Stealing It tries to steal the following information:

Passwords from the following programs:
   • Legend of Mir2
   • Legend of Mir3

 File details Programming language:
The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Irina Boldea on Wednesday, August 31, 2005
Description updated by Irina Boldea on Thursday, September 1, 2005

Back . . . .