Content
QDial-45
- Type
- Trojan
- SubType
- Dialer
- Discovery Date
- 08/02/2006
- Length
- Minimum DAT
- 4820 (08/02/2006)
- Updated DAT
- 6546 (11/30/2011)
- Minimum Engine
- 5.1.00
- Description Added
- 08/02/2006
- Description Modified
- 09/07/2006 10:29 AM (PT)
Tab Navigation
Characteristics
There are two components of this trojan a DLL downloader and a PE file. The DLL downloader copies itself in alternate data streams with a random name. For Example
- %WINDIR%\system32\:craa.dll - detected as QDial-45.dldr
The downloader creates following DNS requests to download the Dialer trojan.
- www.wschooler.com
- 195.225.177.22/[blocked]/pic.gif[bloked]
The downloaded file is encrypted and has GIF header to bypass the virus scanners. The DLL parses this file to create a random named executable in the following directory.
- c:\documents and settings\%USER%\my documents\ [random numbers].exe - 61,440 bytes
Upon execution the trojan creates following files and registry keys.
Files
- c:\program files\common files\system\[random].exe - encrypted data file - hidden
- c:\documents and settings\%USER%\local settings\temp\tbyq1.exe - Detected as Qdial-45
- %WINDIR%\temp\2.tmp ( 55808 bytes )
- %WINDIR%\temp\tbyq1.exe ( 17920 bytes ) - Detected as Qdial-45
Registry
The following registry keys are created*
- hkey_local_machine\software\microsoft\windows\currentversion\run
\[random].exe="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[random].exe" - hkey_local_machine\system\currentcontrolset\services\[random]
\imagepath=""C:\Program Files\Common Files\System\[random].exe"" - hkey_local_machine\system\currentcontrolset\services\[random]\objectname=".\isescmfRBTVs"
- hkey_local_machine\system\currentcontrolset\services\[random]\description="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver."
- hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist\isescmfrbtvs="0"
* Since most keys have random values associated only those significant are highlighted.
Symptoms
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants
N/A
All Information
Overview -
Qdial-45 is a encrypted trojan that is responsible for disconnecting the original modem connection and making a new call at higher rates, to display the adult contents. The trojan generally downloaded via a BHO. The downloader component of this trojan is installed in Alternate Data Streams.
Aliases
- Gromozon
Characteristics
Characteristics -
There are two components of this trojan a DLL downloader and a PE file. The DLL downloader copies itself in alternate data streams with a random name. For Example
- %WINDIR%\system32\:craa.dll - detected as QDial-45.dldr
The downloader creates following DNS requests to download the Dialer trojan.
- www.wschooler.com
- 195.225.177.22/[blocked]/pic.gif[bloked]
The downloaded file is encrypted and has GIF header to bypass the virus scanners. The DLL parses this file to create a random named executable in the following directory.
- c:\documents and settings\%USER%\my documents\ [random numbers].exe - 61,440 bytes
Upon execution the trojan creates following files and registry keys.
Files
- c:\program files\common files\system\[random].exe - encrypted data file - hidden
- c:\documents and settings\%USER%\local settings\temp\tbyq1.exe - Detected as Qdial-45
- %WINDIR%\temp\2.tmp ( 55808 bytes )
- %WINDIR%\temp\tbyq1.exe ( 17920 bytes ) - Detected as Qdial-45
Registry
The following registry keys are created*
- hkey_local_machine\software\microsoft\windows\currentversion\run
\[random].exe="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[random].exe" - hkey_local_machine\system\currentcontrolset\services\[random]
\imagepath=""C:\Program Files\Common Files\System\[random].exe"" - hkey_local_machine\system\currentcontrolset\services\[random]\objectname=".\isescmfRBTVs"
- hkey_local_machine\system\currentcontrolset\services\[random]\description="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver."
- hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist\isescmfrbtvs="0"
* Since most keys have random values associated only those significant are highlighted.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
1. Please go to the Microsoft Recovery Console and restore a clean MBR.
On windows XP:
Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Variants
Variants -
N/A