high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 5 January 2005 13:02:01 (GMT) |
| Last updated | 22 September 2005 07:53:18 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
Troj/Liewar-A is a Trojan which pretends to detect spyware.
The Trojan may run files with any of the following filenames in the Windows folder if they are not already running:
iau.exe
msiau.dll
stisvsq.exe
svshost.exe
msqdevl.exe
lsass.exe
mservice.exe
csrss.dll
winlogon.dll
smssa.dll
uvchost.exe
taskmgr.dll
msras.exe
ras.dll
The Trojan may copy itself or files found on the machine to the Windows folder with any of the above filenames.
Provided there is a file running called IAU.EXE (which the Trojan may start itself) after about two hours the Trojan displays a message box containing the following text:
"Microsoft Windows Alert
Spyware Detected on your PC. Remove it now?"
If the user selects YES, they are taken to a website which advertises spyware removal products.
The Trojan creates a file DIALER.DAT in the Windows folder which contains the system time the Trojan is first run.
The Trojan sets the following registry entries in order to run itself or other malware on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Acceleration Utility
iau.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Internet Connection Wizard
stisvsq.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Games Acceleration
svshost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Internet Mail and News
msqdevl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Management Console
lssas.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Multimedia extensions
mservice.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Acceleration Utility
iau.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internet Connection Wizard
stisvsq.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Games Acceleration
svshost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internet Mail and News
msqdevl.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Management Console
lssas.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Multimedia extensions
mservice.exe
|
