Home / malwarePDF  

Trojan.PWS.Lmir.UMH


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.PWS.Lmir.UMH is also known as Trojan-GameThief.Win32.OnLineGames.asbz(KAV.

Explanation :

When launched, the trojan drops in %windir%system32 folder a DLL file having the name derived form an existing DLL from same folder (e.g. rasmanqn3.dll, mdimapzx.dll); a file with the same name but different extension is also dropped (rasmanqn3.nls, mdimapzx.dat).
In order to monitor keystrokes and the mouse, the droped DLL is injected in the memory space of all running processes.
The following registry keys are added in order to load the dropped DLL at every system reboot:
[HKCRCLSID{%clsid%}InProcServer32]
(Default) = %Path_To_Dropped_DLL%
[HKLMSOFTWAREClassesCLSID{%clsid%}InProcServer32]
(Default) = %Path_To_Dropped_DLL%
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
%Dropped_DLL_Name% = %clsid%
The original executable is then deleted using a batch file created in %TEMP% directory.

Last update 21 November 2011

 

TOP