Initial samples received on:
Jan 15, 2007
Memory resident: Yes
File size: 14,336 Bytes
This spyware usually arrives as a file dropped by other malware or as a file downloaded unknowingly by a user when visiting malicious Web sites.
Upon execution, it drops a copy of itself as MPPDS.EXE in the Windows folder. It also drops its component file, using the same file name of its initially executed copy but with a file name extension of DLL in the Windows system folder. The said .DLL file is also detected as TSPY_LEGMIR.AQZ and is then injected into several running processes.
It then creates the following registry entry to ensure its automatic execution at every system startup:
mppds = "%Windows%\mppds.exe"
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
This spyware steals information, typically account names and passwords, related to certain online games.
It saves the gathered information in a file which it sends to a remote malicious user via email using its own Simple Mail Transfer Protocol (SMTP) engine. The said routine allows it to send email messages without using a mail application like Microsoft Outlook.
It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.