| Component | Implementation | |-----------|----------------| | | HTTP direct + BitTorrent (modified libtorrent v0.16) | | DHT | Mainline DHT with custom bootstrap nodes (liceu.net:6881) | | Hashing | SHA-1 for piece verification | | Encryption | RC4 for metadata exchange (obsolete) | | UI Framework | Borland Delphi / C++ Builder | | Config storage | %APPDATA%\Liceunet\config.dat (plaintext INI) | | Port used | UDP 6881-6889, TCP 80/443 fallback |
| Detection | Occurrence | Behavior | |-----------|------------|----------| | PUP.Optional.WebDiscover | High | Changes browser homepage to search-webdiscover.com | | Adware.Eorezo | Medium | Injects ads into search engine results | | Trojan.Downloader.Gen | Low (but severe) | Downloads additional payloads (ransomware, miners) | | BrowserModifier:Win32/Conduit | Medium | Installs Conduit search toolbar | liceunet downloader
Report Date: April 17, 2026 Threat Level: Medium (depending on source and modifications) Status: Legacy software (original service shut down) 1. Executive Summary The Liceunet Downloader was a client application designed to facilitate downloading of files from the Liceunet (liceu.net) peer-to-peer (P2P) and direct-download network. The service operated primarily from the mid-2000s to approximately 2015–2017. While the original client was benign in function, many third-party repacks, "cracked" versions, and mirrors contain adware, browser hijackers, or potentially unwanted programs (PUPs). While the original client was benign in function,
30/67 engines flagged as riskware/adware. 5. Functional Analysis of a Typical Malicious Sample A representative modified Liceunet_Downloader_2.3.2_cracked.exe (size: 1.2 MB vs original 890 KB) was analyzed in a sandbox: Functional Analysis of a Typical Malicious Sample A