Content
QDial-45
- Type
- Trojan
- SubType
- Dialer
- Discovery Date
- 08/02/2006
- Length
- Minimum DAT
- 4820 (08/02/2006)
- Updated DAT
- 5041 (05/29/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 08/02/2006
- Description Modified
- 09/07/2006 10:29 AM (PT)
Tab Navigation
Characteristics
There are two components of this trojan a DLL downloader and a PE file. The DLL downloader copies itself in alternate data streams with a random name. For Example
- %WINDIR%\system32\:craa.dll - detected as QDial-45.dldr
The downloader creates following DNS requests to download the Dialer trojan.
- www.wschooler.com
- 195.225.177.22/[blocked]/pic.gif[bloked]
The downloaded file is encrypted and has GIF header to bypass the virus scanners. The DLL parses this file to create a random named executable in the following directory.
- c:\documents and settings\%USER%\my documents\ [random numbers].exe - 61,440 bytes
Upon execution the trojan creates following files and registry keys.
Files
- c:\program files\common files\system\[random].exe - encrypted data file - hidden
- c:\documents and settings\%USER%\local settings\temp\tbyq1.exe - Detected as Qdial-45
- %WINDIR%\temp\2.tmp ( 55808 bytes )
- %WINDIR%\temp\tbyq1.exe ( 17920 bytes ) - Detected as Qdial-45
Registry
The following registry keys are created*
- hkey_local_machine\software\microsoft\windows\currentversion\run
\[random].exe="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[random].exe" - hkey_local_machine\system\currentcontrolset\services\[random]
\imagepath=""C:\Program Files\Common Files\System\[random].exe"" - hkey_local_machine\system\currentcontrolset\services\[random]\objectname=".\isescmfRBTVs"
- hkey_local_machine\system\currentcontrolset\services\[random]\description="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver."
- hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist\isescmfrbtvs="0"
* Since most keys have random values associated only those significant are highlighted.
Symptoms
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
Qdial-45 is a encrypted trojan that is responsible for disconnecting the original modem connection and making a new call at higher rates, to display the adult contents. The trojan generally downloaded via a BHO. The downloader component of this trojan is installed in Alternate Data Streams.
Aliases
- Gromozon
Characteristics
Characteristics -
There are two components of this trojan a DLL downloader and a PE file. The DLL downloader copies itself in alternate data streams with a random name. For Example
- %WINDIR%\system32\:craa.dll - detected as QDial-45.dldr
The downloader creates following DNS requests to download the Dialer trojan.
- www.wschooler.com
- 195.225.177.22/[blocked]/pic.gif[bloked]
The downloaded file is encrypted and has GIF header to bypass the virus scanners. The DLL parses this file to create a random named executable in the following directory.
- c:\documents and settings\%USER%\my documents\ [random numbers].exe - 61,440 bytes
Upon execution the trojan creates following files and registry keys.
Files
- c:\program files\common files\system\[random].exe - encrypted data file - hidden
- c:\documents and settings\%USER%\local settings\temp\tbyq1.exe - Detected as Qdial-45
- %WINDIR%\temp\2.tmp ( 55808 bytes )
- %WINDIR%\temp\tbyq1.exe ( 17920 bytes ) - Detected as Qdial-45
Registry
The following registry keys are created*
- hkey_local_machine\software\microsoft\windows\currentversion\run
\[random].exe="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[random].exe" - hkey_local_machine\system\currentcontrolset\services\[random]
\imagepath=""C:\Program Files\Common Files\System\[random].exe"" - hkey_local_machine\system\currentcontrolset\services\[random]\objectname=".\isescmfRBTVs"
- hkey_local_machine\system\currentcontrolset\services\[random]\description="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver."
- hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist\isescmfrbtvs="0"
* Since most keys have random values associated only those significant are highlighted.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A