Trojan.PWS.Lmir.UMH
LOW
LOW
12KB
(Trojan-GameThief.Win32.OnLineGames.asbz(KAV))
Symptoms
The presence of the files and registry keys from the following description.
Removal instructions:
Please let BitDefender disinfect your files.
Manual: If the DLL can be located in %windir%\System32 then perform a search after its name (without extension) trough system registry and delete those fields which have the name or data containing this string and also remove the files from System32.
Analyzed By
Ovidiu Visoiu, virus researcher
Technical Description:
When launched, the trojan drops in %windir%\system32 folder a DLL file having the name derived form an existing DLL from same folder (e.g. rasmanqn3.dll, mdimapzx.dll); a file with the same name but different extension is also dropped (rasmanqn3.nls, mdimapzx.dat).
In order to monitor keystrokes and the mouse, the droped DLL is injected in the memory space of all running processes.
The following registry keys are added in order to load the dropped DLL at every system reboot:
[HKCR\CLSID\{%clsid%}\InProcServer32]
(Default) = %Path_To_Dropped_DLL%
[HKLM\SOFTWARE\Classes\CLSID\{%clsid%}\InProcServer32]
(Default) = %Path_To_Dropped_DLL%
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
%Dropped_DLL_Name% = %clsid%
The original executable is then deleted using a batch file created in %TEMP% directory.
SHARE
THIS ON