Virus:TR/PSW.Lmir.aae.3
Date discovered:08/07/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:19.929 Bytes
MD5 checksum:0247bbc64162b9981ad008a59891d3da
VDF version:6.31.0.168

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Backdoor.Trojan
   •  Kaspersky: Trojan-PSW.Win32.Lmir.aae
   •  Bitdefender: Trojan.Pws.Lmir.AAE


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\yklgvh.exe



It deletes the initially executed copy of itself.



The following files are created:

%WINDIR%\SchedLgU.txt This is a non malicious text file with the following content:
   • "Task Scheduler Service"
      Started at date time
     "Task Scheduler Service"
      Exited at date time
     "Task Scheduler Service"
      Started at date time
     "Task Scheduler Service"
      Exited at date time
     
     [ ***** Most recent entry is above this line ***** ]
     
     

%SYSDIR%\Yklgvh.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSWTR.PSW.aae.2

%SYSDIR%\drivers\yklgvh.sys Further investigation pointed out that this file is malware, too. Detected as: BDS/PcClient.K.1




It tries to download some files:

– The location is the following:
   • kissyou8**********.com/pcshare.txt
It is saved on the local hard drive under: %temporary internet files%\pcshare.txt This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • pcshare.txt
It is saved on the local hard drive under: %temporary internet files%\dlfile.asp Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\Yklgvh]
   • "Type"=dword:00000001
   • "Start"=dword:00000003
   • "ErrorControl"=dword:00000001
   • "DisplayName"="Yklgvh"

– [HKLM\SYSTEM\CurrentControlSet\Services\Yklgvh\Enum]
   • "0"="Root\\LEGACY_YKLGVH\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YKLGVH]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YKLGVH\0000]
   • "Service"="Yklgvh"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Yklgvh"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YKLGVH\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="Yklgvh"

– [HKLM\SYSTEM\CurrentControlSet\Services\Yklgvh\Security]
   • "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

– [HKLM\SYSTEM\CurrentControlSet\Services\Yklgvh]
   • "ImagePath"=\??\%SYSDIR%\drivers\Yklgvh.sys

– [HKLM\SYSTEM\CurrentControlSet\Services\Schedule]
   • "ImagePath"=%SYSDIR%\Yklgvh.exe -k netsvcs

 Injection – It injects itself into a process.

    Process name:
   • Internet Explorer


 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Sergiu Oprea on Wednesday, August 3, 2005
Description updated by Sergiu Oprea on Friday, September 30, 2005

Back . . . .