Home / malware Trojan-Downloader:W32/Lipler.gen
First posted on 14 September 2009.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Downloader:W32/Lipler.gen.
Explanation :
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Additional DetailsTrojan-Downloader:W32/Lipler.gen is the Generic Detection of an unsigned installer program that comes packaged together with such programs as Live-Player and Speed-Downloading. Packaging the installer this way is sometimes used to avoid detection of an unwanted program by the user.
Upon installation, the installer will download a file from this server:
  • http://download.favorit-network.com
and drop the files mainly on the following folders:
  • %Program Files%   • SYSTEM_DIR
It will also change the web browser's starting page. The installer has support for various major languages.
Activity
The following is an example of the installer's activities, based on one of the samples submitted.
The trojan-downloader downloads files from:
  • http://download.favorit-network.com/binaries/download.php
The installer then installs the files on the system, using the following name format:
  • %systemdir%[randomfile]
For example:
  • C:Documents and SettingsAdministratorLocal SettingsApplication Data tahmk.exe (random name)   • C:Program FilesLive-Player   • C:Program FilesLive-Playerdata   • C:Program FilesLive-Playerdataflv.swf   • C:Program FilesLive-Playerdataliveplayer.s3db   • C:Program FilesLive-Playerdata ranslation_file_live-player.xml   • C:Program FilesLive-Playerimg   • C:Program FilesLive-Playerimg
ologo.png   • C:Program FilesLive-Playerlive-player.exe   • C:Program FilesLive-PlayerSkinCrafterDll.dll   • C:Program FilesLive-Playerskins   • C:Program FilesLive-Playerskinslive-player.skf   • C:Program FilesLive-Playersqlite3.dll   • C:Program FilesLive-Playeruninst.exe   • C:Documents and SettingsAll UsersDesktopLive-Player.lnk   • C:Documents and SettingsAll UsersStart MenuProgramsLive-Player   • C:Documents and SettingsAll UsersStart MenuProgramsLive-PlayerCondizioni generali.url   • C:Documents and SettingsAll UsersStart MenuProgramsLive-PlayerDisinstalla.lnk   • C:Documents and SettingsAll UsersStart MenuProgramsLive-PlayerLive-Player.lnk   • C:Documents and SettingsAll UsersStart MenuProgramsLive-PlayerRiservatezza.url   • C:Documents and SettingsAll UsersStart MenuProgramsLive-PlayerWebsite.url
The installer then makes the following registry changes:
  • HKEY_CURRENT_USERSoftwareLive-Player
dl_ams :"3"
dl_lg :"it"
grpid :"1538"
installdt :"20090820"
dl_browser :"IE"
dl_hp_url :"http://www.schnellsucher.com/?t=Q0908201538&s=h"
dl_se_name :"Schnell Sucher"
dl_se_url :"http://www.schnellsucher.com/?t=Q0908201538&s=b&keywords={searchTerms}"   • HKEY_LOCAL_MACHINESOFTWARELive-Player
dl_ams :"3"
dl_lg :"1040"
grpid :"1538"
installdt :"20090820"
dl_browser :"IE"
dl_hp_url :"http://www.schnellsucher.com/?t=Q0908201538&s=h"   • HKEY_CURRENT_USERSoftwareLive-Playerdl_se_icon "http://www.schnellsucher.com/favicon.ico"   • HKEY_CURRENT_USERSoftwareLive-Player_status "ok"   • HKEY_CURRENT_USERSoftwareLive-Player Language"IT"   • HKEY_CURRENT_USERSoftwareLive-Player@"C:Program FilesLive-Player"   • HKEY_CURRENT_USERSoftwareLive-Player DBVersion "1001"   • HKEY_CURRENT_USERSoftwareLive-Player ApplicationVersionInstall"2001"   • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearchScopes
DefaultScope :"{0F36E18A-6296-4333-9D99-269AAFE3D111}_Schnell Sucher"   • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearchScopes{0F36E18A-6296-4333-9D99-269AAFE3D111}_Schnell Sucher
URL :"http://www.schnellsucher.com/?t=Q0908201538&s=b&keywords={searchTerms}"
DisplayName :"Schnell Sucher"
FaviconPath :"C:Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftInternet ExplorerServicessearch_{0F36E18A-6296-4333-9D99-269AAFE3D111}_Schnell Sucher.ico"   • HKEY_LOCAL_MACHINESOFTWARELive-Player dl_se_name "Schnell Sucher" ----- Same to HKCU
dl_se_url :"http://www.schnellsucher.com/?t=Q0908201538&s=b&keywords={searchTerms}"
dl_se_icon :"http://www.schnellsucher.com/favicon.ico"
sp_id :"1"
Language :"IT"
@ :"C:Program FilesLive-Player"
DBVersion :"1001"
ApplicationVersionInstall :"2001"   • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallLive-Player
DisplayName :"Live-Player"
UninstallString :"C:Program FilesLive-Playeruninst.exe"
UninstallString2 :""C:Program FilesLive-Playeruninst.exe" /S"
DisplayIcon :"C:Program FilesLive-PlayerLive-Player.exe"
DisplayVersion :"2.0"
URLInfoAbout :"http://www.Live-player.com/"
Publisher :"Favorit Network S.L."Last update 14 September 2009
