Troj/Liewar-C

Aliases	Trojan.Win32.Liewar.j
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	20 May 2005 20:30:22 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the Trojan.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

Troj/Liewar-C is a Trojan which displays misleading message boxes and attempts to connect to the internet.

The Trojan may attempt to copy the following files in the Windows folder:

csrss.dll
iau.exe
smssa.dll
taskmgr.dll
uvchost.dll
winlogon.dll

to any of the following filenames in the Windows folder:

lssas.exe
mservice.exe
msiau.dll
msqdevl.exe
stisvsq.exe
svshost.exe

Troj/Liewar-C then runs these files if they are not already running.

The Trojan displays fake message boxes in turn with the following characteristics:

Title: Microsoft Network Information
Message: <randomly chosen string in the following list>?

adipex
adult
adult chat
adult dating
adult dating online
adult dating services
adult dating site
adult dvd
adult movies
adult personals
adult toys
adultfriendfinder
adware
adware spyware
air purifiers
air travel
airline tickets
airlines
alprazolam
amateur
amateur sex
ambien
anal
anal sex
anti spyware
antivirus
antivirus software
asian dating
asian schoolgirls
auto insurance
baccarat
bank of america
bbw
bdsm
betting
big tits
black jack
black porn
blackjack
blowjob
blowjobs
bondage
books
breast enlargement
britney spears
business
buy carisoprodol
buy cialis
buy hydrocodone
buy phentermine
buy viagra
car
car insurance
car rental
carisoprodol
cars
cartoons
cash advance
casino
celebs
cell phones
chat
cheap cigarettes
cheap phentermine
cialis
cigarettes
codeine
computer
computers
consolidate debt
contact
credit
credit card
credit cards
credit report
credit reports
cruise deal
cumshot
dating
dating senior
dating services
dating site
debt consolidation
diazepam
didrex
diet
diet pills
directv
dvd
ebay
ebony
electronics
employment
escorts
fat sex
fetish
fioricet
firewall
flowers
forex trading
free
free poker
free porn
free sex
free spyware
gambling
games
gay anal sex
generic viagra
group sex
hairy
hairy pussy
hardcore
hardcore sex
health
health insurance
hgh
holdem poker
home based business
home business
home equity loan
home loan
home mortgages
homes
hotel
hotels
hydrocodone
incorporate
insurance
internet
internet casino
internet dating
internet poker
internet security
interracial dating
ionamin
latina
latina sex
lesbian
lesbian sex
lesbians
levitra
life insurance
live chat
live sex
loan
lortab
mature
mature porn
mature sex
merchant accounts
meridia
milf
money
mortgage
movies
mp3
music
network security
new cars
old sex
online casino
online casinos
online dating
online gambling
online loan
online pharmacy
online poker
online shopping
online slot
oral sex
order viagra
pacific poker
paris hilton
party poker
penis enlargement
penis enlargement pill
penis pills
personal
personal photos
personals
pharmacy
phentermine
phentermine online
pissing
poker
pop up blocker
popup blocker
porn
porn movie
porn video
porno
pornstars
propecia
pussy
real estate
refinance
remove spyware
ritalin
roulette
sex
sex chat
sex dating
sex personals
sex toys
sex video
sexual enhancement
sexual health
show
single
single girls
software
soma
sport betting
spy camera
spybot
spyware
spyware and adware
spyware detection
spyware remove
swingers
swingers ads
swingers clubs
teen
teen porn
teen sex
teens
testosterone
texas holdem
tits
tramadol
travel
ultram
used cars
valium
van
viagra
viagra online
vicodin
video
videos
vioxx
virus
virus scan
voyeur
web hosting
web site
weight loss
work at home
xanax
xenical
xxx
xxx dvd
xxx movie
xxx movies
xxx video
zoloft
zyrtec

No matter which button is clicked on, the Trojan uses Microsoft Internet Explorer to open a search results page at http://webforuser.com.

Troj/Liewar-C also tries to use Internet Explorer to open a page at http://search.googl.com

The Trojan sets the following registry entries in order the following files on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Acceleration Utility
iau.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Internet Connection Wizard
stisvsq.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Games Acceleration
svshost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Internet Mail and News
msqdevl.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Management Console
lssas.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Multimedia extensions
mservice.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Acceleration Utility
iau.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internet Connection Wizard
stisvsq.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Games Acceleration
svshost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internet Mail and News
msqdevl.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Management Console
lssas.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Multimedia extensions
mservice.exe

Troj/Liewar-C also sets the following registry entries in order to remove the user's startpage options:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Start Page
about:blank

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page
about:blank

Troj/Liewar-C attempts to download and run a file from http://w12.biz to the file MSRAS.EXE in the Windows folder. At the time of writing this file was unavailable for download.

The Trojan may create the non-malicious files DIALER.DAT and IE.DAT in the Windows folder.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Liewar-C

Summary

Action

More Information