English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Read us on

Home→Descriptions→Trojan-GameThief.Win32.Lmir.a

Trojan-GameThief.Win32.Lmir.a

Detected	Aug 28 2007 08:54 GMT
Released	Mar 26 2010 21:48 GMT
Published	Aug 28 2007 08:54 GMT

Manual description Auto description

This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan is designed to steal confidential data. It is a Windows PE EXE file. The size of infected files may vary from 147KB to 171KB. It is packed using AsPack. It is written in Delphi.

Installation

Once launched, the Trojan copies itself to the Windows root directory (%WinDir%) under one of the following names (depending on the modification):

internet.exe
winsys.exe

It adds a link to its executable file in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winsys" = "%WinDir%\winsys.exe"

or:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Internet" = "%WinDir%\internet.exe"

depending on the modification. This ensures that the Trojan will be launched each time the system is booted.

Payload

This Trojan is designed to steal user passwords to Legend of Mir 2, an online game. The Trojan searches for windows headed "legend of mir2" and harvests the account name and password entered by the user in these windows.

The Trojan sends harvested information to one of the following addresses:

***yahuu@163.net
dong****@163.com 
friend***@peoplemail.com.cn

The Trojan does this by using the following SMTP servers:

smtp.163.com
smtp.peoplemail.com.cn

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the "explorer.exe" process.

Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winsys" = "%WinDir%\winsys.exe"

or:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Internet" = "%WinDir%\internet.exe"

Delete the following files:

%WinDir%\internet.exe 
%WinDir%\winsys.exe

Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Print

Share

Malicious programs

Trojans

Trojan-GameThief

This type of malicious program is designed to steal user account information for online games. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.

Other versions

Trojan-GameThief.Win32.Lmir.gen

Aliases

Trojan-GameThief.Win32.Lmir.a (Kaspersky Lab) is also known as:

Trojan-PSW.Win32.Lmir.a (Kaspersky Lab)
Trojan.PSW.Lmir.a (Kaspersky Lab)
Trojan.PSW.Legendmir.a (Kaspersky Lab)
Trojan: PWS-LegMir.gen (McAfee)
Mal/EncPk-RA (Sophos)
Trj/StartPage.DAW (Panda)
Trojan:Win32/Provis!rts (MS(OneCare))
Trojan.Generic.3013067 (BitDef7)
Trojan.CFI!pbUUCcTrCis (VirusBuster)
Win32:Trojan-gen (AVAST)
Trojan.Win32.BHO (Ikarus)
PSW.OnlineGames3.ALCV (AVG)
TR/Crypt.CFI.Gen (AVIRA)
Trojan.Gen (NAV)
W32/Lmir.UAB (Norman)
Trojan-GameThief.Win32.Lmir.a [AVP] (FSecure)
Trojan.Win32.Generic!BT (Sunbelt)
Trojan.CFI!pbUUCcTrCis (VirusBusterBeta)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.