high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | October 2005 (3.98) |
| Protection available since | 24 August 2005 08:23:18 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
More Information
Troj/LegMir-AT is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
When first run Troj/LegMir-AT copies itself to <System>\winmgr.exe and creates the file <Current Folder>\dela.bat.
The following registry entry is created to run winmgr.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
252
<System>\winmgr.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\IPv6\
HKLM\SOFTWARE\WinMgr\
Troj/LegMir-AT includes functionality to:
- steal confidential information
- silently download, install and run new software
- disable other applications
Troj/LegMir-AT attempts to disable the following processes:
winmgr.exe
kregex.exe
trojdie.kxp
assistse.exe
ravmon.exe
ravtimer.exe
rfw.exe
kavpfw.exe
kpfwsvc.exe
kavstart.exe
kwatch.exe
kavplus.exe
mailmon.exe
kpopmon.exe
kwatchui.exe
kavsvc.exe
kvapfw.exe
kvfw.exe
kvmonxp.kxp
kvsrvxp.exe
kvxp.kxp
kvcenter.kxp
defwatch.exe
rtvscan.exe
ccapp.exe
ccsetmgr.exe
vptray.exe,pa
sswordguard.exe
eghost.exe
iparmor.exe
pfw.exe
teregpct.exe
dfvsnet.exe
netbargp.exe
nmain.exe
navw32.exe
kavsvcui.exe
kav32.exe
|
