F-Secure Virus Descriptions : Wdialupd
|
|
|
| NAME: | Wdialupd |
| ALIAS: | W32/Wdialupd.Adware, PornDial-177, Dialer.Porno.J, |
| ALIAS: | TROJ_WDIALUPD.A, Trojan.Win32.Dialer, Dialer |
TECHNICAL INFORMATION
We have received several reports about this adware/downloader.
The messages that the adware was distributed in, appear to have
certain common characteristics. The 'From:' field always consists
of a seemingly random sequence of alphanumeric characters
followed by '@yahoo.com'. In the reports we received the length
of the alphanumeric string was not constant.
The 'Subject:' field looks like those from common SPAM
(unsolicited e-mail), referring to porn and other miscellaneous
topics.
In all the messages the attachment names are different, they can
be the following:
action.zip
adult_movies.zip
my_videos.zip
mymovie.zip
yourfreemovie.zip
These ZIP files contain executables that are the actual
installers/downloaders of the Wdialupd alware. The names of known
Wdialupd executable files are:
1714.exe
2453.exe
2702.exe
5298.exe
When run, the Wdialupd asks a user to select his/her location and
then attempts to download and activate additional components from
Internet without asking for permission.
It posts information on the users location/language to the same
address from where it tries to download files, nothing confidential
appears to be posted.
The address is a hardcoded IP physically situated in Spain. At the
time of this writing the address is unreachable.
The Wdialupd adware is detected by F-Secure Anti-Virus as:
Security risk or a "backdoor" program
because of its intrusiveness and because it appears to collect
information about computer users.
It is advised to delete messages with Wdialupd downloaders and
avoid running their executable files.
[Description: Ero Carrera, Alexey Podrezov; F-Secure Corp.; May 26th-June 9th, 2003]
|
