PWS:Win32/Lmir is a family of password-stealing trojans that send account information from popular online games, such as Legend of Mir, to a remote server.
PWS:Win32/Lmir variants may install themselves using different paths and file names, for example:
When executed, PWS:Win32/Lmir drops and loads a dll, which may have a random file name, for example:
In also creates different registry entries so that it executes at every Windows start, for example:
Adds value: "AppInit_DLLs"
With data: "<Malware path and file name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Adds value: "(default)"
With data: "%<Malware path and file name>"
To subkey: HKLM\SOFTWARE\Classes\CLSID\<CLSID>\InprocServer32
Some variants also create a batch file to automatically delete their currently running copy after performing their malware routine.
Steals Online Game Data
PWS:Win32/Lmir can obtain account information, such as username and passwords, for Massively Multiplayer Online Games such as Legend of Mir.
The captured details are sent to a remote server.
Downloads Arbitrary Files
Some variants of PWS:Win32/Lmir may connect to various websites to download files. These files may be other malware or updated versions of itself.
Lower Security Settings
Some variants may also stop firewall and terminate security related processes or windows.
Analysis by Elda Dimakiling