PWS-LegMir.gen.g

Upon execution, the Trojan makes the following system changes:

Files Added

• Initial installer: PackageStudio7.exe (name may vary) (870 KB)
• %SystemDir%\supervise.exe (97 KB, MD5: BD67F844CF35E98AD13E27585E38DA58)
• PackageStudioe1L1.exe (787 KB)
  Note: It appears that this "PackageStudioe1L1.exe" file may be dropped in an attempt to throw the user off as to what the software actually does, while "supervise.exe" performs the actual malware functions.
• various downloaded files named "#.exe" in the root folder (e.g. C:\1.exe, C:\2.exe, etc.)

The following registry keys are created

• HKEY_USERS\S-[identifier varies]\Software\Microsoft\Windows\CurrentVersion\Run
  "Supervise.exe"="C:\WINDOWS\System32\Supervise.exe"
• HKEY_USERS\S-[identifier varies]\Software\Microsoft\Windows\CurrentVersion\Run
  "Death.exe"="C:\WINDOWS\System32\Death.exe"
  Note: Though no file named "Death.exe" is immediately created, it is probable that one of the files downloaded by the Trojan would be renamed as such and placed in the system folder for use with the associated Run key below.
• HKEY_USERS\S-[identifier varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\
  "proxybypass"="1"

The following keys appear to be associated with the PackageStudioe1L1.exe file, and may be further attempts at obfuscation, or the result of a poor implementation of an actual Wise installer.

• HKEY_USERS\S-[identifier varies]\Software\Wise Solutions
• HKEY_USERS\S-[identifier varies]\Software\Wise Solutions\product\
  "c:\docume~1\admini~1\locals~1\temp"="WisePackage Studio 7"
• HKEY_USERS\S-[identifier varies]\Software\Wise Solutions\product\Wise Package Studio 7
  "license"="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PackageStudioe1L1.exe"

The following registry keys are modified

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
  "checkedvalue"="dword:00000000"

The software attempts to download additional files with an incremental numbered naming convention (1.exe, 2.exe, 3.exe, etc.) from newasp.com.cn

The following network connection(s) are created

• Supervise.exe server:127.0.0.1 port:1087
• Supervise.exe server:127.0.0.1 port:1085
• Supervise.exe server:172.16.199.200 port:80
• Supervise.exe server:newasp.com.cn (220.162.247.150) port:80

• Presence of the files mentioned
• Presence of the registry changes mentioned
• Background network communcation to 172.16.199.200 and/or 220.162.247.150

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.