F-Secure
Tools
Dialer:W32/EgroupDial
Summary
A program that connects the computer to the Internet via a telephone line and modem. Malicious dialers secretly connect the computer to premium-rate lines, greatly increasing the usage charges payable by the user.Details
Registry Modifications
Creates these keys:
- HKEY_CLASSES_ROOT\CLSID\%CLSID_Number%\LocalServer32
(Default) = "%Systemdir%\[filename].exe /run" - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Instant Access = "%Systemdir%\[filename].exe /res" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access
DisplayName = "Instant Access" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access
UninstallString = "%Program Files%\Internet Explorer\IEXPLORE.EXE %http_uninstall_link%" - HKEY_CURRENT_USER\Software\EGDHTML
update_script = %http_update_link%
upd_com_time = %dword_value%
upd_com_time_between = %dword_value% - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\%number%
%random characters% = "electronic-group"
Additional Details
This malware family behaves as a typical malicious dialer. It connects to premium rate numbers in order to increase its monetary gain from users of the service. Depending on the bundled configuration, this family also provides users with access to pornographic websites.
Additional download attempts may be triggered when the dialer updates itself or when it is uninstalled. The downloaded files are typically downloaded from file hosting sites; what files are downloaded from which site will vary depending on the specific dialer installed.
It is related to Dialer:W32/InstantAccess.
Upon execution it may show an application window such as the following:
It may create files in the following location:
The folder also contains a copy of the dialer program, with the filename 'instant access.exe'.
It may creates the following files:
It may also create various registry entries.
Additional download attempts may be triggered when the dialer updates itself or when it is uninstalled. The downloaded files are typically downloaded from file hosting sites; what files are downloaded from which site will vary depending on the specific dialer installed.
It is related to Dialer:W32/InstantAccess.
Upon execution it may show an application window such as the following:
It may create files in the following location:
- %Program Files%\Instant Access
The folder also contains a copy of the dialer program, with the filename 'instant access.exe'.
It may creates the following files:
- %Windir%\[filename].ini
- configuration file - %Systemdir%\[filename].exe
- copy of itself - %Desktop%\[filename].lnk
- shortcut link file to 'instant access.exe' - %UserProfile%\Start Menu\[filename].lnk
- shortcut link file to 'instant access.exe'
It may also create various registry entries.