Content

QDial-45

Type
Trojan
SubType
Dialer
Discovery Date
08/02/2006
Length
Minimum DAT
4820 (08/02/2006)
Updated DAT
5041 (05/29/2007)
Minimum Engine
5.1.00
Description Added
08/02/2006
Description Modified
09/07/2006 10:29 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

There are two components of this trojan a DLL downloader and a PE file. The DLL downloader copies itself in alternate data streams with a random name. For Example

  • %WINDIR%\system32\:craa.dll - detected as QDial-45.dldr

The downloader creates following DNS requests to download the Dialer trojan.

The downloaded file is encrypted and has GIF header to bypass the virus scanners. The DLL parses this file to create a random named executable in the following directory.

  • c:\documents and settings\%USER%\my documents\ [random numbers].exe - 61,440 bytes

Upon execution the trojan creates following files and registry keys.

Files

  • c:\program files\common files\system\[random].exe - encrypted data file - hidden
  • c:\documents and settings\%USER%\local settings\temp\tbyq1.exe - Detected as Qdial-45
  • %WINDIR%\temp\2.tmp ( 55808 bytes )
  • %WINDIR%\temp\tbyq1.exe ( 17920 bytes ) - Detected as Qdial-45

Registry

The following registry keys are created*

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \[random].exe="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[random].exe"
  • hkey_local_machine\system\currentcontrolset\services\[random]
    \imagepath=""C:\Program Files\Common Files\System\[random].exe""
  • hkey_local_machine\system\currentcontrolset\services\[random]\objectname=".\isescmfRBTVs"
  • hkey_local_machine\system\currentcontrolset\services\[random]\description="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver."
  • hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist\isescmfrbtvs="0"

* Since most keys have random values associated only those significant are highlighted.

Symptoms

Unusual modem activity, presense of aformentioned files and registry keys, and higher rates than expected in phone bills.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Qdial-45 is a encrypted trojan that is responsible for disconnecting the original modem connection and making a new call at higher rates, to display the adult contents. The trojan generally downloaded via a BHO. The downloader component of this trojan is installed in Alternate Data Streams.

Aliases

  • Gromozon

Characteristics

Characteristics -

There are two components of this trojan a DLL downloader and a PE file. The DLL downloader copies itself in alternate data streams with a random name. For Example

  • %WINDIR%\system32\:craa.dll - detected as QDial-45.dldr

The downloader creates following DNS requests to download the Dialer trojan.

The downloaded file is encrypted and has GIF header to bypass the virus scanners. The DLL parses this file to create a random named executable in the following directory.

  • c:\documents and settings\%USER%\my documents\ [random numbers].exe - 61,440 bytes

Upon execution the trojan creates following files and registry keys.

Files

  • c:\program files\common files\system\[random].exe - encrypted data file - hidden
  • c:\documents and settings\%USER%\local settings\temp\tbyq1.exe - Detected as Qdial-45
  • %WINDIR%\temp\2.tmp ( 55808 bytes )
  • %WINDIR%\temp\tbyq1.exe ( 17920 bytes ) - Detected as Qdial-45

Registry

The following registry keys are created*

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \[random].exe="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[random].exe"
  • hkey_local_machine\system\currentcontrolset\services\[random]
    \imagepath=""C:\Program Files\Common Files\System\[random].exe""
  • hkey_local_machine\system\currentcontrolset\services\[random]\objectname=".\isescmfRBTVs"
  • hkey_local_machine\system\currentcontrolset\services\[random]\description="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver."
  • hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist\isescmfrbtvs="0"

* Since most keys have random values associated only those significant are highlighted.

Symptoms

Symptoms -

Unusual modem activity, presense of aformentioned files and registry keys, and higher rates than expected in phone bills.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A