F-Secure
Tools
Dialer:W32/CarpeDiem
| Name : | Dialer:W32/CarpeDiem |
| Detection Names : |
Dialer.Generic.8727 Porn-Dialer.Win32.CapreDeam |
| Aliases : |
Dialer.CarpeDiem (Symantec) Dial/Carped-K (Sophos) |
| Category: | Riskware |
| Type: | Dialer |
| Platform: | W32 |
| Threat Level: | Epidemic |
Summary
A program that connects the computer to the Internet via a telephone line and modem. Malicious dialers will secretly connect the computer to premium-rate lines.
Details
Registry Modifications
Sets these values:
• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\MUICache\
C:\WINDOWS\Temp\MT\sample.exe = H o t C o n n e c t o r
C:\WINDOWS\Temp\MT\sample.exe = H o t C o n n e c t o r
• HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\2DCB4C0C78BBE64B52C0312BAB2E95EA2971C353
Blob =
Blob =
• HKCU\Software\Montorgueil\Kit0
Modem =
Modem =
• HKCU\Software\Montorgueil\Kit0
CanLaunch = N
CanLaunch = N
• HKCU\Software\Montorgueil\Kit0
Device =
Device =
• HKCU\Software\Montorgueil\Kit0
Num = 0
Num = 0
• HKCU\Software\Montorgueil\Kit0
Prefixe =
Prefixe =
• HKCU\Software\Montorgueil\Kit0
Silent = N
Silent = N
• HKCU\Software\Montorgueil\Kit0
Standard = N
Standard = N
• HKCU\Software\Montorgueil\Kit0/17165\1
Fournisseur = 0
Fournisseur = 0
• HKCU\Software\Montorgueil\Kit0/17165\1
Ver = 1406368
Ver = 1406368
• HKCU\Software\Montorgueil\Kit0/17165\1
Produit = 429
Produit = 429
• HKCU\Software\Montorgueil\Kit0/17165\1
Tracking = 0
Tracking = 0
• HKCU\Software\Montorgueil\Kit0\UserId
ID = 0025718
ID = 0025718
• HKCU\Software\Montorgueil\Kit0\UserId
Pays = 1
Pays = 1
• HKCU\Software\Montorgueil\Kit0\UserId
Langue = 9
Langue = 9
Creates these keys:
• HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\2DCB4C0C78BBE64B52C0312BAB2E95EA2971C353
• HKCU\Software\Montorgueil
• HKCU\Software\Montorgueil\Kit0
• HKCU\Software\Montorgueil\Kit0\17165
• HKCU\Software\Montorgueil\Kit0/17165
• HKCU\Software\Montorgueil\Kit0/17165\1
• HKCU\Software\Montorgueil\Kit0\UserId
Additional Details
The detection name Dialer:W32/Carpediem identifies various premium-rate content dialers associated with the Carpediem.fr domain.
These programs provide users with an Internet connection by dialing an expensive pay-per-minute phone number with the computer's modem, while offering access to pornographic content.
Installation
When first executed, the dialer will create copies of itself in the following locations:
A start menu folder with the name HOT Dialer containing shortcuts to the file will be created, as well as a desktop shortcut.
It then presents the user with an End User License Agreement (EULA) and various message boxes, which the user must click through to approve usage of the premium number. The user is given multiple opportunities to decline usage.
These programs provide users with an Internet connection by dialing an expensive pay-per-minute phone number with the computer's modem, while offering access to pornographic content.
Installation
When first executed, the dialer will create copies of itself in the following locations:
• %windir%\Temp\MT\[filename].exe
• %programfiles%\Montorgueil\[filename]\[filename].exe
A start menu folder with the name HOT Dialer containing shortcuts to the file will be created, as well as a desktop shortcut.
It then presents the user with an End User License Agreement (EULA) and various message boxes, which the user must click through to approve usage of the premium number. The user is given multiple opportunities to decline usage.