Internet threat level: 1
Home→Descriptions→Trojan.Win32.Dialer.mw
Trojan.Win32.Dialer.mw
| Detected | Jan 02 2006 07:47 GMT |
| Released | Jan 02 2006 08:49 GMT |
| Published | Jun 22 2006 15:25 GMT |
Payload
Removal instructions
Technical Details
This Trojan program is a Windows PE EXE file, written in Visual C++ and packed using UPX. The packed file is 23552 bytes in size, and the unpacked file is approximately 57KB in size.
Installation
The Trojan will be installed to the victim machine if the malicious file is launched for execution and all the conditions below are met:
- if the –install parameter is present in the command line;
- if the program was not previously installed to the victim machine, or was previously installed more than 21 days ago. (The date when the program was last installed can be determined from the date of the last entry in %WinDir%\imsins_.bin - each time the program is installed, 1 byte will be added;
- if the objects listed below are not present on the victim machine:
%Program Files%\0190 Warner
%Program Files%\a2
%Program Files%\Coolspot\Dialer Control
%Program Files%\Popupkiller
%Program Files%\MicroSoft AntiSpyware
%System%\DRIVERS\vmx_svga.sys
%System%\DRIVERS\vpc-s3.sys
When installing the Trojan may get some parameters from the 'websitesign' cookie.
The program sends a request to http://xdl.www2.******.com/kb2.php to get its configuration in encrypted form. This is then saved to %WinDir%\KB842252.log. The Trojan also gets data from this site and saves it to %WinDir%\switchagreement.txt.
If during installation the parameter -s is present in the command line, the Trojan file will copy itself to %System%\usbn.exe and then register itself in the system registry:
"usbn"="%System%\usbn.exe"
This ensures that the Trojan is launched each time Windows is rebooted on the victim machine:
Depending on the modification of the Trojan, the file name may vary.
The Trojan then creates the following registry key values:
"alternative"=1
usbn.exe will then be launched.
If during installation the parameter -d is present in the command line, the Trojan will copy itself to %WinDir%\internt.exe and then attempt to create shortcuts to this file:
- on all user desktops:
XXX NOW
TheDoctor
PORN JACK POT - in all users' Start menu:
LipGame
Dating
WIN PORN DVD
The Trojan is unable to process Russian language paths to files. As a consequence, if the program is launched on a Russian language version of Windows, the short cuts will not be created.
If during installation the substring installbf is present in the command line, the original file will be deleted once installation is complete.
If the substring installbf is not present, the files listed below will be deleted:
C:\explorer.cab C:\inst.hta C:\inst.exe
Payload
When launched without parameters, the program causes a console window to be displayed, showing «FORMAT volume [/FS:file-system] [/V:label] [/Q] [/A:size] [/C] [/X]». It then terminates execution.
When usbn.exe is launched with the parameter –go, the program will attempt to close windows which contain the string «#32770» in the class name, get data on active telephone connections and save them to the following registry key:
"areacode"
"phonenumber"
"username"
"domain"
The program then modifies all user names and local numbers for all telephone connections by replacing them with values contained in the configuration file KB842252.log. This file is downloaded via the Internet when the Trojan is installed.
30 days after the period of time indicated in the configuration file which is downloaded from http://xdl.www2.******.com/kb2.php, the Trojan deletes usbn.exe and reverts all connection parameters to their original values.
Registry keys created by the Trojan will be deleted.
If one of the icons is clicked on, internt.exe will be launched with the parameter -go, providing at that moment no other copy of internt.exe is already being executed. Once launched, the program terminates all active telephone connections, and repeatedly re-establishes and terminates connections to a range of numbers taken from the configuration file.
The program then sends an HTTP request to http://www.********.nu/members.asp?cat=. Some of the program's parameters are transmitted in the request. The total number of times the program is launched in this mode is indiciated in the configuration file. Once this number of launches is complete, or if a period of 30 days since the time shown in the configuration file has passed, the program will delete internt.exe and the shortcuts it created.
The following registry key is created in order to save the number of times the program has been launched:
"cnt"
Removal instructions
- Delete the following registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"usbn"="%System%\usbn.exe" - Terminate the usbn.exe process:
- Delete the following files:
%System%\usbn.exe
%WinDir%\internt.exe - Revert all telephone connection parameters to their original values.
- Delete the shortcuts which the program created in the Start Menu and on the desktop.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
Trojan.
- Troj/Hogil-Gen (Sophos)
- Dialer-646 (ClamAV)
- Dialer.
FBR (Panda) - W32/Trojan.
gen (FPROT) - Dialer:
Win32/ADialer (MS(OneCare)) - Trojan.
DownLoader. 2163 (DrWeb) - Win32/Dialer.
EB trojan (Nod32) - Trojan.
Dialer. MW (BitDef7) - Trojan.
Dialer. NN (VirusBuster) - Win32:
Dialer-336 [Trj] (AVAST) - Trojan.
Win32. Dialer. eb (Ikarus) - Dialer.
BEV (AVG) - TR/Dialer.
MW. 1 (AVIRA) - W32.
IRCBot. Gen (NAV) - W32/DLoader.
NUS (Norman) - TROJ_DLOADER.
BAZ (PCCIL) - Trojan.
Dialer. wvq (Rising) - Trojan.
Win32. Dialer. mw [AVP] (FSecure) - TROJ_DLOADER.
BAZ (TrendMicro)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.