McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

-- Update October 21, 2008 --

The 5410 DAT files that correct this issue have been released. 

-- Update October 20, 2008 --

The 5409 DAT files contain an incorrect identification on PWS-LegMir. McAfee Avert Labs have released DAT 5410  to correct this issue. The false detection is being seen on the following file:

• conime.exe - Windows Vista console IME (MD5: F96EBC5A624349D81DCC7600A3C5DC43)

Aliases

• PWS-LegMir.gen

• PWS-LegMir.gen.b

Characteristics

-- Update October 21, 2008 --

The 5410 DAT files that correct this issue have been released.

-- Update October 20, 2008 --

The 5409 DAT files contain an incorrect identification on PWS-LegMir. McAfee Avert Labs have released DAT 5410  to correct this issue. The false detection is being seen on the following file:

• conime.exe - Windows Vista console IME (MD5: F96EBC5A624349D81DCC7600A3C5DC43)

----

This detection is generic, and designed to cover many similar password-stealing trojans. This includes trojans written in multiple HLLs, including MSVC, MSVB and Delphi.

Users are recommended to use the latest engine/DATs combination for optimal detection, and ensure the scanning of compressed files is enabled.

These password stealing trojans are typically designed to steal passwords from various different sources, as well as information for the "Legend of Mir" game if it is has been installed on the victim machine. It mails this information to the trojan author at various email addresses.  Since there are many variants of this trojan, this description is a general guide.

When run, the trojan installs itself on the victim machine, typically in %WinDir% or %SysDir%, using varying filenames. For example:

C:\WINDOWS\SYSTEM\TASKMON.EXE

To hook system startup, a Registry key is added, pointing to the installed file(s). For example:

HKEY_CURRENT_USER\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\RunServices "TaskMontor" = C:\WINDOWS\SYSTEM\taskmon.exe

Symptoms

Exact symptoms will vary between variants. However, the presence of unexpected files in %WinDir% or %SysDir%, coupled with Registry hooks pointing to them is a typical suggestion of some torjan installation (Note: some legitimate files will be started via Registry hooks).

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

-- Update October 21, 2008 --

The 5410 DAT files that correct this issue have been released. 

-- Update October 20, 2008 --

The 5409 DAT files contain an incorrect identification on PWS-LegMir. McAfee Avert Labs have released DAT 5410  to correct this issue. The false detection is being seen on the following file:

• conime.exe - Windows Vista console IME (MD5: F96EBC5A624349D81DCC7600A3C5DC43)

Aliases

• PWS-LegMir.gen

• PWS-LegMir.gen.b

Characteristics

Characteristics -

-- Update October 21, 2008 --

The 5410 DAT files that correct this issue have been released.

-- Update October 20, 2008 --

The 5409 DAT files contain an incorrect identification on PWS-LegMir. McAfee Avert Labs have released DAT 5410  to correct this issue. The false detection is being seen on the following file:

• conime.exe - Windows Vista console IME (MD5: F96EBC5A624349D81DCC7600A3C5DC43)

----

This detection is generic, and designed to cover many similar password-stealing trojans. This includes trojans written in multiple HLLs, including MSVC, MSVB and Delphi.

Users are recommended to use the latest engine/DATs combination for optimal detection, and ensure the scanning of compressed files is enabled.

These password stealing trojans are typically designed to steal passwords from various different sources, as well as information for the "Legend of Mir" game if it is has been installed on the victim machine. It mails this information to the trojan author at various email addresses.  Since there are many variants of this trojan, this description is a general guide.

When run, the trojan installs itself on the victim machine, typically in %WinDir% or %SysDir%, using varying filenames. For example:

C:\WINDOWS\SYSTEM\TASKMON.EXE

To hook system startup, a Registry key is added, pointing to the installed file(s). For example:

HKEY_CURRENT_USER\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMontor" =
C:\WINDOWS\SYSTEM\taskmon.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\RunServices "TaskMontor" = C:\WINDOWS\SYSTEM\taskmon.exe

Symptoms

Symptoms -

Exact symptoms will vary between variants. However, the presence of unexpected files in %WinDir% or %SysDir%, coupled with Registry hooks pointing to them is a typical suggestion of some torjan installation (Note: some legitimate files will be started via Registry hooks).

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A