Threat Information for "Modification of BackDoor.Generic.1373"

Removal Top

StopSign will automatically remove this infection with a paid membership.

Summary Top
  • Name: Modification of BackDoor.Generic.1373
  • Aliases:TR/PSW.Lmir.avr.3, W32/PWStealer.gen1, PSW.Legendmir.CFZ, Generic.PWSLmir.AAD3FD2B, Trojan.Lmir.avr, SPY/Lmir
  • Date Discovered: 2006-08-31
  • Protection Added: 2006-09-01
Description Top 
-- Ease of Removal

1: File names randomly generated from a hard-coded list
2: Uses redundant/watcher processes
3: Hides registry entries
4: Consistent file contents
5: Creates new registry entries with consistent data

-- Privacy Risks/Security Changes

1: Opens backdoors
2: Mimics legitimate file names

-- Damage/Intrusion/Annoyance

1: Modifies critical registry entries
2: Creates new files
3: Significantly slows down the computer

-- Propagation/Saturation

1: Infects with other exploitation method
2: Bundled with third-party applications
Technical Details Top
  • Added Directory/File:
    FilePath: r:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: i:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: y:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: p:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: g:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: w:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: n:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: %PROGRAMFILESDIR%\*.* MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: e:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: u:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: l:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: %WINDIR%\shell.sys
  • Added Directory/File:
    FilePath: c:\*.* MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: s:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: j:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: z:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: q:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: h:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: x:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: o:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: f:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: v:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: m:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: %WINDIR%\*.* MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: d:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: t:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: k:\command.com MD5: 85ef3a752d280d08952382f30a8642da
  • Added Directory/File:
    FilePath: d:\autorun.inf MD5: 739dd3eedc10f9283496206517f8757c
  • Added Registry Key:
    Key: HKCR\WindowFiles\DefaultIcon
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Clients\StartMenuInternet\inexplore.pif
  • Added Registry Key:
    Key: HKU\S-*\Software\VB and VBA Program Settings
  • Added Registry Key:
    Key: HKCR\WindowFiles\Shell\Open
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Clients\StartMenuInternet\inexplore.pif\shell\open
  • Added Registry Key:
    Key: HKU\S-*\Software\VB and VBA Program Settings\Microsoft Soft Debuger\Settings
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Classes\WindowFiles
  • Added Registry Key:
    Key: HKCU\Software\VB and VBA Program Settings\Microsoft Soft Debuger
  • Added Registry Key:
    Key: HKCR\Drive\shell\find\command
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Classes\WindowFiles\Shell
  • Added Registry Key:
    Key: HKCR\WindowFiles
  • Added Registry Key:
    Key: HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Classes\WindowFiles\Shell\Open\Command
  • Added Registry Key:
    Key: HKCR\WindowFiles\Shell
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Clients\StartMenuInternet\inexplore.pif\shell
  • Added Registry Key:
    Key: HKU\S-*\Software\VB and VBA Program Settings\Microsoft Soft Debuger
  • Added Registry Key:
    Key: HKCR\WindowFiles\Shell\Open\Command
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Clients\StartMenuInternet\inexplore.pif\shell\open\command
  • Added Registry Key:
    Key: HKCU\Software\VB and VBA Program Settings
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Classes\Drive\shell\find\command
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Classes\WindowFiles\DefaultIcon
  • Added Registry Key:
    Key: HKCU\Software\VB and VBA Program Settings\Microsoft Soft Debuger\Settings
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
  • Added Registry Key:
    Key: HKLM\SOFTWARE\Classes\WindowFiles\Shell\Open
  • Added Registry Value:
    Key: HKLM\%CURRENTVERSIONREG%\Run Value: TProgram
  • Added Registry Value:
    Key: HKCU\Software\VB and VBA Program Settings\Microsoft Soft Debuger\Settings Value: GUID
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Clients\StartMenuInternet\inexplore.pif Value: LocalizedString
  • Added Registry Value:
    Key: HKCU\Software\Microsoft\Internet Explorer\Main Value: Check_Associations
  • Added Registry Value:
    Key: HKU\S-*\Software\VB and VBA Program Settings\Microsoft Soft Debuger\Settings Value: GUID
  • Added Registry Value:
    Key: HKU\S-*\Software\Microsoft\Internet Explorer\Main Value: Check_Associations