Home / malware MSIL/Livate
First posted on 23 September 2014.
Source: MicrosoftAliases :
There are no other names known for MSIL/Livate.
Explanation :
Threat behavior
Installation
MSIL/Livate can create any of the following files on your PC:
- %APPDATA% \MCommon\sites.dat
- %APPDATA% \MCommon\vinfo.dat
- %APPDATA% \Mozilla\Firefox\Extensions\MozillaHotfix\chrome\content\update.js
- %APPDATA% \WinLive\WinLive.dll
It checks if this is the first time it has run on your PC. If not, it copies itself as:
- %TEMP% \mpc.exe
- %TEMP% \WindowsLiveUpdate.exe
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "WindowsLiveUpdate"
With data: "WindowsLiveUpdate.exe"
MSIL/Livate can also try to remove the following files:
- %APPDATA% \WinLive\tcookies.dat
- %APPDATA% \Mozilla\Firefox\Extensions\MozillaHotfix\tcookies.dat
- %APPDATA% \MCommon\uinfo.dat
Payload
Displays
advertisements
This threat installs files that inject additional advertisements into your web browser.
Analysis by Steven Zhou
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
%APPDATA%\MCommon\sites.dat
%APPDATA%\MCommon\vinfo.dat
%APPDATA%\Mozilla\Firefox\Extensions\MozillaHotfix\chrome\content\update.js
%APPDATA%\WinLive\WinLive.dllLast update 23 September 2014
