W32/LegMir-AD is a network worm with password stealing functionality.
W32/LegMir-AD tries to copy itself to all logical drives connected to the computer as folder.exe.
W32/LegMir-AD steals password information and emails it to a preconfigured email address.
The worm may also create a keylogger DLL that is detected by Sophos as Troj/Legmir-E.
W32/LegMir-AD is a network worm with password stealing functionality.
W32/LegMir-AD copies itself to:
\folder.exe
%WINDOWS%\~aTNr.exe
%WINDOWS%\cih.exe
%WINDOWS%\hh.exe
%WINDOWS%\intrenat.exe
%WINDOWS%\notepad.exe
%WINDOWS%\winhlp32.exe
%SYSTEM%\cih.exe
%SYSTEM%\lc_res.exe
%SYSTEM%\Winsocks.dll
The files notepad.exe and hh.exe are first copied to the files Note.dll and hh.dll respectively before they are overwritten with a copy of the worm.
W32/LegMir-AD tries to copy itself to all logical drives connected to the computer as folder.exe.
W32/LegMir-AD creates the following registry entries to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Intrenat
%WINDOWS%\intrenat.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Intrenat
%WINDOWS%\intrenat.exe
W32/LegMir-AD creates the file AUTORUN.INF in the root folder which can be deleted.
W32/LegMir-AD steals password information and emails it to a preconfigured email address.
The worm may also create a keylogger DLL that is detected by Sophos as Troj/Legmir-E.