Win32/Liech [Threat Name] go to Threat

Win32/Liech.E [Threat Variant Name]

Category trojan
Size 144440 B
Detection created Aug 01, 2005
Detection database version 6416
Aliases Trojan.Win32.Liech.c (Kaspersky)
  PWS:Win32/Warner.A (Microsoft)
  QDial13.trojan (McAfee)
Short description

Win32/Liech.E is a trojan which uses the computer's modem to dial premium rate numbers.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­%variable1%.tmp

The trojan creates the following files:

  • %temp%\­~%variable2%l1a04iur23.exe (7080 B, Win32/Liech.C)

The file is then executed.


After the installation is complete, the trojan deletes the original executable file.


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "(Default)" = "%variable3%"

A string with variable content is used instead of %variable1-3% .

Payload information

Win32/Liech.E is a trojan which uses the computer's modem to dial premium rate numbers.

Other information

The trojan may delete the following Registry entries:

  • [HKEY_CLASSES_ROOT\­Acab.Dialer]
  • [HKEY_CLASSES_ROOT\­Acab.Dialer.1]
  • [HKEY_CLASSES_ROOT\­CLSID\­\­{DCF96DA0-ED33-40FF-B83E-AB7011C2BA7E}]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Code Store Database\­Distribution Units]
  • [HKEY_LOCAL_MACHINE\­Software\­Classes\­CLSID\­{DCF96DA0-ED33-40FF-B83E-AB7011C2BA7Es}]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Code Store Database\­Distribution Units\­{DCF96DA0-ED33-40FF-B83E-AB7011C2BA7E}]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­ModuleUsage]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Code Store Database\­Distribution Units\­{19f4a690-10ee-0f32-cc537255006cdf431}]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Code Store Database\­Distribution Units\­{00000012-890E-4AAC-AFD9-000000000000}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­ACab.Dialer]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­ACab.Dialer.1]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Protected Storage System Provider\­%user_sid%\­Data\­e161255a-37c3-11d2-bcaa-00c04fd929db]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Protected Storage System Provider\­%user_name%\­Data\­e161255a-37c3-11d2-bcaa-00c04fd929db]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­IntelliForms]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­RAS Autodial\­Adresses]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­TypedURLs]

The trojan may delete the following files:

  • %temp%\­*.*
  • %windir%\­History\­*.*
  • %internetcache%\­*.*
  • %history%\­*.*
  • %windir%\­setupapi.log

The trojan can delete cookies.


The following programs are terminated:

  • hh.exe
  • dc.exe
  • 0190Alarm.exe
  • 0190Killer.exe
  • Warn0190.exe
  • SmartSurfer.exe
  • iexplore.exe
  • netscape.exe
  • opera.exe

(1) URLs are opened in Internet Explorer .


The trojan removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.