Content

QDial-45

Type
Trojan
SubType
Dialer
Discovery Date
08/02/2006
Length
Minimum DAT
4820 (08/02/2006)
Updated DAT
6546 (11/30/2011)
Minimum Engine
5.1.00
Description Added
08/02/2006
Description Modified
09/07/2006 10:29 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

There are two components of this trojan a DLL downloader and a PE file. The DLL downloader copies itself in alternate data streams with a random name. For Example

  • %WINDIR%\system32\:craa.dll - detected as QDial-45.dldr

The downloader creates following DNS requests to download the Dialer trojan.

The downloaded file is encrypted and has GIF header to bypass the virus scanners. The DLL parses this file to create a random named executable in the following directory.

  • c:\documents and settings\%USER%\my documents\ [random numbers].exe - 61,440 bytes

Upon execution the trojan creates following files and registry keys.

Files

  • c:\program files\common files\system\[random].exe - encrypted data file - hidden
  • c:\documents and settings\%USER%\local settings\temp\tbyq1.exe - Detected as Qdial-45
  • %WINDIR%\temp\2.tmp ( 55808 bytes )
  • %WINDIR%\temp\tbyq1.exe ( 17920 bytes ) - Detected as Qdial-45

Registry

The following registry keys are created*

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \[random].exe="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[random].exe"
  • hkey_local_machine\system\currentcontrolset\services\[random]
    \imagepath=""C:\Program Files\Common Files\System\[random].exe""
  • hkey_local_machine\system\currentcontrolset\services\[random]\objectname=".\isescmfRBTVs"
  • hkey_local_machine\system\currentcontrolset\services\[random]\description="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver."
  • hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist\isescmfrbtvs="0"

* Since most keys have random values associated only those significant are highlighted.

Symptoms

Unusual modem activity, presense of aformentioned files and registry keys, and higher rates than expected in phone bills.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

Qdial-45 is a encrypted trojan that is responsible for disconnecting the original modem connection and making a new call at higher rates, to display the adult contents. The trojan generally downloaded via a BHO. The downloader component of this trojan is installed in Alternate Data Streams.

Aliases

  • Gromozon

Characteristics

Characteristics -

There are two components of this trojan a DLL downloader and a PE file. The DLL downloader copies itself in alternate data streams with a random name. For Example

  • %WINDIR%\system32\:craa.dll - detected as QDial-45.dldr

The downloader creates following DNS requests to download the Dialer trojan.

The downloaded file is encrypted and has GIF header to bypass the virus scanners. The DLL parses this file to create a random named executable in the following directory.

  • c:\documents and settings\%USER%\my documents\ [random numbers].exe - 61,440 bytes

Upon execution the trojan creates following files and registry keys.

Files

  • c:\program files\common files\system\[random].exe - encrypted data file - hidden
  • c:\documents and settings\%USER%\local settings\temp\tbyq1.exe - Detected as Qdial-45
  • %WINDIR%\temp\2.tmp ( 55808 bytes )
  • %WINDIR%\temp\tbyq1.exe ( 17920 bytes ) - Detected as Qdial-45

Registry

The following registry keys are created*

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \[random].exe="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[random].exe"
  • hkey_local_machine\system\currentcontrolset\services\[random]
    \imagepath=""C:\Program Files\Common Files\System\[random].exe""
  • hkey_local_machine\system\currentcontrolset\services\[random]\objectname=".\isescmfRBTVs"
  • hkey_local_machine\system\currentcontrolset\services\[random]\description="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver."
  • hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist\isescmfrbtvs="0"

* Since most keys have random values associated only those significant are highlighted.

Symptoms

Symptoms -

Unusual modem activity, presense of aformentioned files and registry keys, and higher rates than expected in phone bills.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A