Home / malwarePDF  

Dialer:Win32/Adialer.K


First posted on 30 April 2012.
Source: Microsoft

Aliases :

There are no other names known for Dialer:Win32/Adialer.K.

Explanation :



Backdoor:Win32/Kelihos.F is a trojan that allows unauthorized remote access and control, via an Internet connection, of an affected computer. The trojan is a component of the Win32/Kelihos malware family. The Win32/Kelihos malware family distributes spam email messages that may contain hyperlinks to installers of the malware. Win32/Kelihos may also communicate with remote computers to exchange information that it uses to execute various tasks, such as sending spam email messages, stealing sensitive information, or downloading and executing arbitrary files.



Installation

Backdoor:Win32/Kelihos.F may be installed by other malware such as TrojanDownloader:Win32/Waledac.C or other variants of Win32/Kelihos. The trojan may be present as the following file:

  • %windir%\temp\temp68.exe


The registry is modified to execute the installed trojan at each Windows startup, as in the following example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "IntelAgent"
With data: "%windir%\temp\temp68.exe"

This malware creates registry entries to stores its configuration data:

In subkey: HKCU\Software\Intel
Sets value: "DATAID"
With data: "<variable data>"

Sets value: "DATA"
With data: "0x00000050€

Sets value: "DATA2"
With data: "<variable data>"

Sets value: "DATA3"
With data: "<variable data>" (data contains IP addresses used by the malware to connect with)

When executed, Backdoor:Win32/Kelihos.F installs the following legitimate WinPcap binaries:

  • <system folder>\packet.dll (not malware)
  • <system folder>\wpcap.dll (not malware)
  • <system folder>\drivers\npf.sys (not malware)


Payload

Communicates with a remote host to perform other payloads

Backdoor:Win32/Kelihos.F exchanges encrypted messages with a remote computer via HTTP to retrieve other payload instructions. Depending on the message content, Kelihos may perform any of these actions:

  • Update a list of computers that the malware connects and exchanges information with
    (Note: It is possible that the computers in the list are compromised by the malware as well)
  • Send spam email messages
  • Steal sensitive information
  • Send notifications or reports
  • Download and execute an arbitrary file
Additional information

For more information about Win32/Kelihos, see the description elsewhere in the encyclopedia.





Analysis by Edgardo Diaz



Dialer:Win32/Adialer.K is a program that attempts to connect to adult web sites via particular phone numbers without your permission. The dialer may use premium numbers to dial into these sites, resulting in an unexpectedly high phone bill. We have received reports that it has been spammed to users attached to email.

This program runs silently, so it is unlikely that you would notice it on your computer.

When executed, Adialer.K it checks for RAS (Remote Access Service) capable devices. For each device found, it retrieves the RAS phone book entry name and changes the connection information listed in the phone book. The RAS phonebook stores information that enables you to connect to remote servers via a dial-up connection. The phonebook contains all the information that might be required to make a connection, including the phone number to dial, and any other relevant details that might be necessary, such as connection properties or authentication details. By changing the properties of a connection in the phonebook, an attacker can force you to use premium charge numbers for dial-up connections. This results in high phone bills for you and income for the attacker.

After making these changes, Dialer:Win32/Adialer.K may attempt to connect to remote sites using the new connection details added to the phonebook.

Note: In order for this Dialer to successfully perform its payload, your computer would need access to a working dial-up modem connected to a phone line.

Additional information

Dialer:Win32/Adialer.K uses the following APIs in order to perform its payload:

  • RasEnumDevicesA
  • RasRnumCOonnectionsA
  • RasEnumEntriesA
  • RasDialA
  • RasHangUpA
  • RasSetEntryPropertiesA
  • RasGetEntryPROpertiesA




Analysis by Hong Jia

Last update 30 April 2012

 

TOP