Win32/PSW.Legendmir [Threat Name] go to Threat

Win32/PSW.Legendmir.NGG [Threat Variant Name]

Category trojan
Size 23435 B
Aliases Trojan-GameThief.Win32.OnLineGames.vahh (Kaspersky)
  PWS-Mmorpg.gen (McAfee)
  Trojan:Win32/Lmir.D (Microsoft)
Short description

The trojan collects various information related to online computer games. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­cmdsame.exe

The trojan creates the following files:

  • %system%\­cmdsame.dll
  • %system%\­cmdsame.ini

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "nwiz" = "cmdsame.exe"

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/PSW.Legendmir.NGG is a trojan that steals account names and passwords for the following online games:

  • The Legend of Mir

The trojan collects the following information:

  • operating system version
  • computer name

The trojan can send the information to a remote machine.


The trojan connects to the following addresses:

  • www.mirsosoft.com
  • www.auq881.com

The HTTP protocol is used.

Other information

The trojan creates and runs a new thread with its own program code within the following processes:

  • mir.exe
  • explorer.exe
  • svchost.exe

The trojan may terminate specific running processes.


The following programs are terminated:

  • 360tray.exe

The trojan may create the following files:

  • %system%\­aliimz

The trojan may set the following Registry entries:

  • [HKLM/SYSTEM/CurrentControlSet/Services/aliimz]
    • "Type" = 1
    • "Start" = 3
    • "ImagePath" = "System32\­Drivers\­aliimz.sys"

The trojan can download and execute a file from the Internet.


The file is stored in the following location:

  • %temp%\­~ms%variable%.tmp

The file is then executed.


A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.