high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | June 2005 (3.94) |
| Protection available since | 22 April 2005 13:02:31 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/LegMir-AD.
More Information
W32/LegMir-AD is a network worm with password stealing functionality.
W32/LegMir-AD tries to copy itself to all logical drives connected to the computer as folder.exe.
W32/LegMir-AD steals password information and emails it to a preconfigured email address.
The worm may also create a keylogger DLL that is detected by Sophos as Troj/Legmir-E. W32/LegMir-AD is a network worm with password stealing functionality.
W32/LegMir-AD copies itself to:
\folder.exe
%WINDOWS%\~aTNr.exe
%WINDOWS%\cih.exe
%WINDOWS%\hh.exe
%WINDOWS%\intrenat.exe
%WINDOWS%\notepad.exe
%WINDOWS%\winhlp32.exe
%SYSTEM%\cih.exe
%SYSTEM%\lc_res.exe
%SYSTEM%\Winsocks.dll
The files notepad.exe and hh.exe are first copied to the files Note.dll and hh.dll respectively before they are overwritten with a copy of the worm.
W32/LegMir-AD tries to copy itself to all logical drives connected to the computer as folder.exe.
W32/LegMir-AD creates the following registry entries to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Intrenat
%WINDOWS%\intrenat.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Intrenat
%WINDOWS%\intrenat.exe
W32/LegMir-AD creates the file AUTORUN.INF in the root folder which can be deleted.
W32/LegMir-AD steals password information and emails it to a preconfigured email address.
The worm may also create a keylogger DLL that is detected by Sophos as Troj/Legmir-E.
|
