January 22, 2011

DIAL THREAT

Dialers dial to predefined numbers to connect to certain sites. Many users run dialers without knowing that some of these programs actually dial long distance numbers or connect to pay-per-call sites in any browser; and that they are being charged for the calls. Dialers are often offered as programs for accessing adult sites.



It drops the  following files:

  • %Desktop%\XXX ACCESS.LNK
  • %Program Files%\GIB\dat\12599.gib
  • %Program Files%\GIB\dat\12599.ico
  • %Program Files%\GIB\EZ_1-2-3.EXE
  • %Start Menu%\Programs\XXX ACCESS.LNK
  • %Start Menu%\XXX ACCESS.LNK
  • C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\Network\CONNECTIONS\Pbk\rasphone.pbk
It creates the following registry keys
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\ uninstall\XXX Access
    DisplayName = "XXX Access"
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\
    uninstall\XXX Access
    UninstallString = "%Program Files%\GIB\EZ_1-2-3.EXE uninstall 12599"
By injecting the following code, it becomes much harder to remove
  •  %folder where it is located%\376f62ee-b5ce-4c85-b72b-dee56b483e92.exe  

It uses sets of strings, which may lead to host file modification, downloading, sending of information, and other possibly malicious routines:
  • Could not launch web browser. 
  • Please send and e-mail to support@chargit.com and reference Error #LB%d 
  • dist02.tdial.com
  • E-mail pport@chargit.com a.u.b. voor hulp.
  • http://www.{BLOCKED}ith.com
  • http://www.ith.com/members/
  • Please E-Mail pport@chargit.com for assistance.
  • Please send an email tosupport@chargit.com referencing error #DF1 for assistance.
  • Please send an email to support@chargit.com referencing error #DF2 for assistance.
  • Por favor envia e-mail pport@chargit.com para ayuda.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More