Virus:TR/PSW.Lmir.51944
Date discovered:11/09/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:51.963 Bytes
MD5 checksum:d72a7db27962cdb93efb82737ef6cdaf
VDF version:6.35.01.208
IVDF version:6.35.01.212 - Tuesday, September 12, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: PWS-WoW trojan
   •  Kaspersky: Trojan-PSW.Win32.WOW.ih
   •  TrendMicro: TSPY_WOW.LW
   •  F-Secure: Trojan-PSW.Win32.WOW.ih


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %WINDIR%\LSASS.exe
   • %PROGRAM FILES%\Internet Explorer\INTEXPLORE.com
   • %PROGRAM FILES%\Common Files\INTEXPLORE.pif
   • %WINDIR%\EXERT.exe
   • %SYSDIR%\MSCONFIG.COM
   • %SYSDIR%\dxdiag.com
   • %SYSDIR%\regedit.com
   • %WINDIR%\Debug\DebugProgram.exe
   • D:\command.com



The following file is created:

– D:\autorun.inf

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ToP"="%WINDIR%\LSASS.exe"



The following registry keys are added:

– [HKCR\WindowFiles]
– [HKCR\WindowFiles\DefaultIcon]
   • @="%1"

– [HKCR\WindowFiles\Shell]
– [HKCR\WindowFiles\Shell\Open]
– [HKCR\WindowFiles\Shell\Open\Command]
   • @="%WINDIR%\EXERT.exe "%1" %*"



The following registry keys are changed:

– [HKLM\SOFTWARE\Classes\htmlfile\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome"
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\INTEXPLORE.com" -nohome"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Check_Associations"=%user defined settings%
   New value:
   • "Check_Associations"="No"

– [HKCR\Applications\iexplore.exe\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" %1"
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\INTEXPLORE.com" %1"

– [HKCR\CLSID\{%CLSID%}\shell\OpenHomePage\Command]
   Old value:
   • @="%PROGRAM FILES%\Internet Explorer\iexplore.exe"
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\INTEXPLORE.com""

– [HKCR\ftp\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" %1"
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\INTEXPLORE.com" %1"

– [HKCR\htmlfile\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome"
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\INTEXPLORE.com" -nohome"

– [HKCR\htmlfile\shell\opennew\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" %1"
   New value:
   • @=""%PROGRAM FILES%\common~1\INTEXPLORE.pif" %1"

– [HKCR\http\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome"
   New value:
   • @=""%PROGRAM FILES%\common~1\INTEXPLORE.pif" -nohome"

– [HKLM\SOFTWARE\Classes\http\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome"
   New value:
   • @=""%PROGRAM FILES%\common~1\INTEXPLORE.pif" -nohome"

– [HKCR\.exe]
   Old value:
   • @="exefile"
   New value:
   • @="WindowFiles"

 Process termination Processes with one of the following strings are terminated:
   • MMSK; RAVMON; TROJDIE; KPOP; CCENTER; ASSISTSE; KPFW; AGENTSVR; KV;
      KREG; IEFIND; IPARMOR; SVI.EXE; UPHC; RULEWIZE; FYGT; RFWSRV; RFWMA


 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • World of old oriental legends
   • World of Warcraft
   • Zhengtu

– A logging routine is started after one of the following websites are visited:
   • us.logon.worldofwarcraft.com
   • eu.logon.worldofwarcraft.com
   • tw.logon.worldofwarcraft.com

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Adriana Popa on Monday, September 25, 2006
Description updated by Adriana Popa on Monday, September 25, 2006

Back . . . .