Trojan.Win32.Dialer.mw

tag:Trojans

When launched without parameters, the program causes a console window to be displayed, showing

Delete the following registry key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

This Trojan program is a Windows PE EXE file, written in Visual C and packed using UPX. The packed file is 23552 bytes in size, and the unpacked file is approximately 57KB in size.
Installation
The Trojan will be installed to the victim machine if the malicious file is launched for execution and all the conditions below are met:
- if the –install parameter is present in the command line;
- if the program was not previously installed to the victim machine, or was previously installed more than 21 days ago. (The date when the program was last installed can be determined from the date of the last entry in %WinDir%\imsins_.bin - each time the program is installed, 1 byte will be added;
- if the objects listed below are not present on the victim machine: %Program Files%\0190 Warner
  %Program Files%\a2
  %Program Files%\Coolspot\Dialer Control
  %Program Files%\Popupkiller
  %Program Files%\MicroSoft AntiSpyware
  %System%\DRIVERS\vmx_svga.sys
  %System%\DRIVERS\vpc-s3.sys
When installing the Trojan may get some parameters from the 'websitesign' cookie.

The program sends a request to http://xdl.www2.******.com/kb2.php to get its configuration in encrypted form. This is then saved to %WinDir%\KB842252.log. The Trojan also gets data from this site and saves it to %WinDir%\switchagreement.txt.

If during installation the parameter -s is present in the command line, the Trojan file will copy itself to %System%\usbn.exe and then register itself in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"usbn"="%System%\usbn.exe"
This ensures that the Trojan is launched each time Windows is rebooted on the victim machine:

Depending on the modification of the Trojan, the file name may vary.

The Trojan then creates the following registry key values:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Settings]
"alternative"=1
usbn.exe will then be launched.

If during installation the parameter -d is present in the command line, the Trojan will copy itself to %WinDir%\internt.exe and then attempt to create shortcuts to this file:
1. on all user desktops:
  
  XXX NOW
  TheDoctor
  PORN JACK POT

previous:Trojan.Win32.DesktopPuzzle
previous:Trojan.Win32.Diamin.jn

New articles

TROJ_FAKEAV.WKAThis Trojan may be downloaded from the following remote sites: http://{BLOCKED}ogle.info/tre/lena.exe/{random characters} This Trojan adds the foll...TROJ_RANSOM.QOWAThis Trojan may be unknowingly downloaded by a user while visiting malicious websites. This Trojan drops the following copies of itself into the affected sys...TapSnake.ATapSnake.A is a Trojan that affects mobile phones with an Android operating system. Once installed in the phone, it carries out the following actions: ...Trojan.Win32.FraudPack.bkheOnce launched, the program will display a message stating that the computer has been infected by malicious programs: The message is displayed even if there a...Trojan-Dropper.Win32.Agent.cxdOnce activated, the Trojan copies its body and saves it to the Windows system directory as "fvfj.sxo": %System%fvfj.sxo In order to ensure that th...

Hot Articles

Trojan.Win32.Dialer.mw

Computer Virus Clounds