Virus:TR/PSW.Lmir.12.A.3
Date discovered:17/07/2006
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:40.832 Bytes
MD5 checksum:2d3e75fc4ed0ed18d898fd1e3b003698
VDF version:6.34.00.147
IVDF version:6.34.00.149 - Thursday, April 6, 2006

 General Method of propagation:
   • No own spreading routine


Alias:
   •  TrendMicro: TSPY_AGENT.CVC


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %PROGRAM FILES%\explorex.exe



The following file is created:

%SYSDIR%\systemlx.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.Delf.OA

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "explorex.exe"="%PROGRAM FILES%\explorex.exe"

 Injection –  It injects the following file into a process: %SYSDIR%\systemlx.dll

    All of the following processes:
   • explorer.exe
   • %processes that have visible windows%


 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PE Pack

Description inserted by Monica Ghitun on Monday, July 17, 2006
Description updated by Monica Ghitun on Monday, August 7, 2006

Back . . . .