Troj/Liewar-B

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

Troj/Liewar-B is a Windows Trojan which pretends to detect spyware.

The Trojan may attempt to copy the following files in the Windows folder:

csrss.dll
winlogon.dll
smssa.dll
uvchost.dll
taskmgr.dll
msras.exe
ras.dll

to any of the following filenames in the Windows folder:

iau.exe
msiau.dll
stisvsq.exe
svshost.exe
msqdevl.exe
lssas.exe
mservice.exe

Troj/Liewar-B then runs these files if they are not already running.

The Trojan displays two fake message boxes in turn with the following characteristics:

Title: Microsoft Network Information
Message: <randomly chosen string in the following list>?

Cars insurance
Weight loss
Card game
Online casino
Acyclovir
Online poker
Viagra
Play roulette
What is vicodin
Baccarat
Cheap phentermine
Play blackjack
Fioricet online
Valium
Cash advance
Lortab
Tramadol
Baccarat rule
Roulette
Poker
Mortgage loan
Loan
Ultram
Gambling
What is phentermine
Diazepam
Gambling poker
Online education
Diet pills
Texas holdem
Discount pharmacy
Online slot game
Home finance
Ambien
Betting
Refinance mortgage
Credit card debt
Mortgage
Blackjack game
Pharmacy
Keno
Blackjack rule
Celebrex
Adipex
Home loan
Information on pain killer
Internet baccarat
Online pharmacy
Alprazolam
Casino game
Cash advance loan
Mortgage rate
Web site promotion
Online roulette
Consolidate debt
Tylenol 3
Casino
Blackjack
Pain killer
Xanax
Phentermine prescription
Fioricet
Online blackjack
Debt
Buy phentermine online
Domain registration
Online gambling
Bad credit loan
Vioxx
Online baccarat
Phentermine
Online slot
Debt consolidation
Sports gambling
Personal loan
Slot
Web hosting
Refinance mortgage rate
Phentermine online
Hydrocodone

Title: Microsoft Windows Alert
Message: Spyware Detected on your PC. Remove it now?

No matter which button is clicked on, the Trojan opens a website which advertises spyware removal products.

The Trojan sets the following registry entries in order to run itself or other malware on user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Acceleration Utility
iau.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Internet Connection Wizard
stisvsq.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Games Acceleration
svshost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Internet Mail and News
msqdevl.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Management Console
lssas.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Multimedia extensions
mservice.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Acceleration Utility
iau.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internet Connection Wizard
stisvsq.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Games Acceleration
svshost.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internet Mail and News
msqdevl.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Management Console
lssas.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Multimedia extensions
mservice.exe

The Trojan may create a non-malicious file DIALER.DAT in the Windows folder, which can be safely removed.