Content
Dialer-318
- Type
- Program
- SubType
- Dialer
- Discovery Date
- 06/20/2007
- Length
- Minimum DAT
- 5058 (06/21/2007)
- Updated DAT
- 5122 (09/18/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 06/20/2007
- Description Modified
- 06/20/2007 5:36 AM (PT)
Tab Navigation
Characteristics
McAfee® Avert® Labs recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.
See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.
The program was spammed inside an e-mail attachment called foto100607.zip. Inside there are 2 files, a 32 bit PE binary called video-1.exe (32.400 bytes) and a picture file called foto2.jpg (3.060 bytes).
Detection was added to cover for a potentially unwanted dialer program called "video-1.exe" (filesize 32.400 bytes). The file is internally compressed with the upx packer. The binary also has a deceiving mail icon.
Upon running the file manually , it runs silently, no gui messageboxes appear.
It immediately tries to open a weblink: http://www.qoo####er.com/lan.asp to try to access \gratis.pbk
It might also open up http://www.sessosub####.net/sex#####
The above weblinks have been modified on purpose here with # markings to not show the exact addresses.
The ras dialup modem connection may access arguable adult websites.
It might change the Internet Explorer main start page.
It might change the Internet Explorer Zones settigns.
Symptoms
Method of Infection
Variants
Variants
N/A
All Information
Overview -
Aliases
- clicker.ghx (AVG)
- downloader.goobiz (NAV)
- trj/trustsites.d (Panda)
- trojan-clicker.win32.agent.ip (AVP)
- win32/lowzones.gen!d (MSMP)
Characteristics
Characteristics -
McAfee® Avert® Labs recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.
See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.
The program was spammed inside an e-mail attachment called foto100607.zip. Inside there are 2 files, a 32 bit PE binary called video-1.exe (32.400 bytes) and a picture file called foto2.jpg (3.060 bytes).
Detection was added to cover for a potentially unwanted dialer program called "video-1.exe" (filesize 32.400 bytes). The file is internally compressed with the upx packer. The binary also has a deceiving mail icon.
Upon running the file manually , it runs silently, no gui messageboxes appear.
It immediately tries to open a weblink: http://www.qoo####er.com/lan.asp to try to access \gratis.pbk
It might also open up http://www.sessosub####.net/sex#####
The above weblinks have been modified on purpose here with # markings to not show the exact addresses.
The ras dialup modem connection may access arguable adult websites.
It might change the Internet Explorer main start page.
It might change the Internet Explorer Zones settigns.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Removal -
Removal -
Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs
Variants
Variants -
N/A
