Win32/Liech [Threat Name] go to Threat

Win32/Liech.G [Threat Variant Name]

Category trojan
Size 40448 B
Detection created Aug 24, 2017
Detection database version 15969
Aliases Porn-Dialer.Win32.Generic (Kaspersky)
  Dialer.Generic (Symantec)
  Dialer.Liquid (Dr.Web)
Short description

Win32/Liech.G is a trojan which uses the computer's modem to dial premium rate numbers.

Installation

When executed, the trojan moves the following files (source, destination):

  • %windir%\­Dialer\­pdialer.exe , %windir%\­Dialer\­~pdialer.exe

The trojan may create the following files in the %windir%\Dialer\ folder:

  • pdialer.exe (22016 B, Win32/Liech.G)
  • Plain842.dll (6656 B)
  • Num120.num (310 B)

The files are then executed.


The trojan creates the following files:

  • %windir%\­Dial32.ini
  • %windir%\­ddialer.ini
  • %desktop%\­TeenSex.lnk
  • %userprofile%\­Start Menu\­TeenSex.lnk
  • %userprofile%\­Start Menu\­Programs\­TeenSex.lnk

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "TeenSex" = "%windir%\­Dialer\­pdialer.exe !m ln=[%removed%] sl=sx000105} dn=TeenSex} sn=TeenSex} tu=http://63[%removed%]/m/} ru=} pl=842} nu=120}"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­TeenSex]
    • "DisplayName" = "TeenSex"
    • "UninstallString" = "%windir%\­Dialer\­pdialer.exe !u"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­SystemCertificates\­TrustedPublisher\­Certificates\­9A1EB319715A300AF5E107427368DFBC6358164C]
    • "Blob" = %hexvalue%
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­WinTrust\­Trust Providers\­Software Publishing\­Trust Database\­0]
    • "ppcimdnnnjbeahepfabjipfginloedkg ohfgaj" = "Central 24 communications, Inc."
Other information

Win32/Liech.G is a trojan which uses the computer's modem to dial premium rate numbers.


The trojan terminates all running processes that contain any of the following modules:

  • Dialer
  • dc.exe
  • 0190Alarm.exe
  • 0190Killer.exe
  • Warn0190.exe
  • SmartSurfer.exe
  • iexplore.exe
  • netscape.exe
  • opera.exe

The trojan opens the following URLs in Internet Explorer :

  • http://63.[%removed%]/m/

Please enable Javascript to ensure correct displaying of this content and refresh this page.