Win32/PSW.Legendmir [Threat Name] go to Threat

Win32/PSW.Legendmir.AU [Threat Variant Name]

Category trojan
Size 63488 B
Detection created Jan 02, 2004
Detection database version 1590
Aliases Trojan-GameThief.Win32.Lmir.gen (Kaspersky)
  Trojan.PWS.Legmir (Dr.Web)
  PWS:Win32/Lmir.AU (Microsoft)
  Trojan.Killproc!gen (Symantec)
Short description

Win32/PSW.Legendmir.AU is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­TaskMon32.exe

The trojan modifies the following file:

  • %windir%\­System.ini

The trojan writes the following entries to the file:

  • [boot]
    • Shell="Explorer.exe TaskMon32.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SoftWare\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "TaskMonitor" = "%windir%\­TaskMon32.exe"

This causes the trojan to be executed on every system start.

Information stealing

Win32/PSW.Legendmir.AU is a trojan that steals sensitive information.


The trojan collects information related to the on-line game Legend of Mir 2 .


The trojan collects the following information:

  • computer name
  • user name
  • operating system version

The trojan attempts to send gathered information to a remote machine.


The trojan sends the information via e-mail.

Other information

Win32/PSW.Legendmir.AU is a trojan that terminates specific applications.


The programs affected include the following:

  • ZoneAlarm
  • Rising Anti-Virus

The following programs are terminated:

  • EGHOST.EXE
  • MAILMON.EXE
  • KAVPFW.EXE
  • KVFW.EXE

The trojan keeps various information in the following Registry keys:

  • [HKEY_CLASSES_ROOT\­Legend\­Enter]
  • [HKEY_CLASSES_ROOT\­Legend\­Change password]
  • [HKEY_CLASSES_ROOT\­Legend\­Registry]

Please enable Javascript to ensure correct displaying of this content and refresh this page.