Trojan.PWS.Lmir.UMH
| Alert Level : | low |
| Discovered: | 2008Aug07 |
| Tag: | Trojan PWS |
| Discoverer and Source: | http://www.bitdefender.com/ |
Malware Behavior and Technical Description
The presence of the files and registry keys from the following description.
When launched, the trojan drops in %windir%\system32 folder a DLL file having the name derived form an existing DLL from same folder (e.g. rasmanqn3.dll, mdimapzx.dll); a file with the same name but different extension is also dropped (rasmanqn3.nls, mdimapzx.dat).
In order to monitor keystrokes and the mouse, the droped DLL is injected in the memory space of all running processes.
The following registry keys are added in order to load the dropped DLL at every system reboot:
[HKCR\CLSID\{%clsid%}\InProcServer32]
(Default) = %Path_To_Dropped_DLL%
[HKLM\SOFTWARE\Classes\CLSID\{%clsid%}\InProcServer32]
(Default) = %Path_To_Dropped_DLL%
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
%Dropped_DLL_Name% = %clsid%
The original executable is then deleted using a batch file created in %TEMP% directory.
Removal Trojan.PWS.Lmir.UMH instructions:
Please let BitDefender disinfect your files.
Manual: If the DLL can be located in %windir%\System32 then perform a search after its name (without extension) trough system registry and delete those fields which have the name or data containing this string and also remove the files from System32.
Need help? Live computer support via remote at SupportSpace |
