Aliases: Trojan-PSW.Win32.Lmir.hc, Trojan.PSW.Lmir.hc, W32/Legemer.worm.gen
Variants: Trojan.PWS.Legmir, TROJ_MIROOT.A, Win32:Trojan-gen, PSW.Legendmir.S 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Asia, North America, Europe
Removal: Hard
Platform: W32
Discovered: 03 Jan 2004
Damage: Low

Characteristics: The W32.Miroot.Worm is a network worm that is capable of spreading via network shares as well as the QQ instant messenger application. This malware will likewise try to steal login details for the Legend of Mir 2 online game. Malicious users steal usernames and passwords for this game because its game credits are hard to accumulate and they can be sold for real money.

More details about W32.Miroot.Worm

Once this worm executes in the compromised machine, it will copy itself as 2 EXE files set with read-only, hidden and system attributes and will create a .tmp file if the system is running under Windows 2000. It may also cause Windows to show an error message pertaining to Windows File Protection. The W32.Miroot.Worm will also query a certain registry entry for locating shared network folders and copy itself in all located folders. These copies’ filenames will be in hexadecimal and will consist of Chinese characters. The worm then adds values in the registry so that it can execute at Windows startup and so it will be restarted each time that an EXE file run. This security risk will also include a URL to outgoing instant messages in the QQ application. In the event that a susceptible browser clicks on the link, the malware will be downloaded onto the machine and executed.

When the worm has obtained the necessary information for the Legend of Mir game, it will save this in a .SYS file. It will then attempt to establish a connection to an SMTP (simple mail transfer protocol) server and send the stolen details through email. Removing this worm’s infection requires the restart of the system in Safe or VGA mode. Turn off the computer and then unplug it. Wait for around 30 seconds then reboot the system. Kill the W32.Miroot.Worm’s process in the Windows Task Manager and then search for all the files that may have been dropped by the worm then delete them. Next, create a regedit.exe copy as regedit.com and then use this to restore the modifications done to the registry.