Virus Characteristics
-- Update October 21, 2008 --
The 5410 DAT files that correct this issue have been released.
-- Update October 20, 2008 --
The 5409 DAT files contain an incorrect identification on PWS-LegMir. McAfee Avert Labs have released DAT 5410 to correct this issue. The false detection is being seen on the following file:
- conime.exe - Windows Vista console IME (MD5: F96EBC5A624349D81DCC7600A3C5DC43)
----
This detection is generic, and designed to cover many similar password-stealing trojans. This includes trojans written in multiple HLLs, including MSVC, MSVB and Delphi.
Users are recommended to use the latest engine/DATs combination for optimal detection, and ensure the scanning of compressed files is enabled.
These password stealing trojans are typically designed to steal passwords from various different sources, as well as information for the "Legend of Mir" game if it is has been installed on the victim machine. It mails this information to the trojan author at various email addresses. Since there are many variants of this trojan, this description is a general guide.
When run, the trojan installs itself on the victim machine, typically in %WinDir% or %SysDir%, using varying filenames. For example:
C:\WINDOWS\SYSTEM\TASKMON.EXE
To hook system startup, a Registry key is added, pointing to the installed file(s). For example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\RunServices "TaskMontor" = C:\WINDOWS\SYSTEM\taskmon.exe