Trojan.Win32.Dialer.a

Technical Details

This worm contains a backdoor function. It has been widely spammed via email. However, it does not spread via email, but via network resources with weak password protection.

Infected messages

Message subject

Latest News about Arafat!!!

Message body

Hello guys!
Latest news about Arafat!
Unimaginable!!!!!

Attachment name

Infected messages have two files attached. The first is a normal JPEG file:

arafat_1.emf

The second file is called

arafat_2.emf

It is specially constructed to exploit an EMF vulnerabilty. More information on this vulnerability can be found in Microsoft Security Bulletin MS04-032

Installation

Once the infected file has been launched, the worm creates the following files in the Windows system folder:

Alerter.exe
Comwsock.dll
Dmsock.dll
Mst.tlb
SCardSer.exe
Spc.exe
Spoolsv.exe
Sptres.dll

The worm masks its presence in the system by adding itself to Windows processes which are already running, such as explorer.exe, lsass.exe, outlook.exe.

Aler.a creates the following entries in the system registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlog]
'Display name': "Net Login Helper"
'ImagePath': %System%\SCardSer.exe

Propagation

The worm scans random IP addresses, trying to find victim machines that are running Windows, and have weak password protection. Aler.a uses the following passwords to penetrate systems:

0
0
111
123
1234
12345
54321
111111
123456
654321
888888
1234567
11111111
12345678
88888888
!@#$
!@#$%

!@#$%^
~!@#
123!@#
1234!@#$
12345!@#$%
admin
fan@ing*
oracle
pass
passwd
password
root
secret
security
stgzs
super

The worm then copies itself to the victim computer as Alerter.exe or Alerter16.exe.

Payload

The worm opens a random TCP port and tracks port activity. This open port is used to receive remote commands and files.