Follow:

You have been re-routed to the PWS:Win32/Lmir.BMQ write up because PWS%3aWin32%2fLmir.BMQ has been renamed to PWS:Win32/Lmir.BMQ
 

PWS:Win32/Lmir.BMQ


PWS:Win32/Lmir.BMQ is a generic detection for a family of malware that steals user data related to online games. This may include program registration keys, passwords, keystrokes and other user information.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

PWS:Win32/Lmir.BMQ is a generic detection for a family of malware that steals user data related to online games. This may include program registration keys, passwords, keystrokes and other user information.
Installation
When executed, PWS:Win32/Lmir.BMQ creates a randomly-named copy of itself in the Windows system folder. For example:
  • <system folder>\[random 8 character].exe, for example: "simyaapi.exe"
 
It also drops randomly-named SYS and DLL files in the Windows system folder. For example:
  • <system folder>\[random 8 character].sys, for example: "spmybapi.sys"
  • <system folder>\[random].dll, for example: "s2da2f323.dll" - this file is also detected as PWS:Win32/Lmir.BMQ
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then executes its dropped copy, and drops a batch file that deletes its originally-running copy.
 
It then registers its dropped DLL as a Browser Helper Object (BHO) by modifying the system registry. For example:
 
Adds value: "(default)"
With data: "<system folder>\s2da2f323.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{A629FF4F-ACDB-5C90-A098-FACB3456A26A}\InprocServer32
 
Adds value: "(default)"
With data: "s2da2f323.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A629FF4F-ACDB-5C90-A098-FACB3456A26A}
 
It makes sure that its dropped DLL file is launched every time "explorer.exe" by modifying the system registry. For example:
 
Adds value: "{A629FF4F-ACDB-5C90-A098-FACB3456A26A}"
With data: s2da2f323.dll"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
Payload
Steals Sensitive Data
PWS:Win32/Lmir.BMQ gathers the following information from the system:
 
  • Online game account information
  • User keystrokes
  • Mouse activities
 
All gathered information is then sent back to a remote server.
 
Analysis by Wei Li

Symptoms

System Changes
The following system changes may indicate the presence of PWS:Win32/Lmir.BMQ:
  • The presence of the following files:
    simyaapi.exe
    spmybapi.sys
    s2da2f323.dll
  • The presence of the following registry subkey:
    HKLM\SOFTWARE\Classes\CLSID\{A629FF4F-ACDB-5C90-A098-FACB3456A26A}

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.179.2187.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jun 26, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Infostealer.Gampass (Symantec)
  • Trojan.PWS.OnlineGames.YZJ (BitDefender)
  • Mal/EncPk-BW (Sophos)
  • Trojan-GameThief.Win32.OnLineGames.aset (Kaspersky)
  • Win32/Storark!generic (CA)