Trojan:WinCE/Terdial

The trojan's payload involves calling premium-rate numbers at set intervals, potentially resulting in high user telephone charges.

Installation

The malware spreads in these packages:

• antiterrorist3d.cab
• codecpack.cab

The malware installs an additional file, which is copied to the system directory under the name smart32.exe.

Activity

The trojan's payload involves calling six premium-rate numbers every 50 seconds, but the second variant has increased the time to 500 seconds. The numbers are:

• +8823460777
• +17675033611
• +88213213214
• +25240221601
• +2392283261
• +881842011123

The payload is time triggered (therefore known as a 'time bomb') and appears to use the following logic to determine when the payload is triggered. After it is first executed (for installation), the trojan sets a time for running its 'call' routine using the algorithm:

• Time bomb = (Day of First time execution + 3) and (Hour of First time execution - [random integer from 0-6])

For example, if the trojan was first executed on Tuesday 13 April 2010 at 1415hrs and the random integer is 4, the time bomb is set on Friday 16 April 2010 at 1015hrs.If the application is executed again before this time bomb goes off, a second time bomb is set for the same time in the following month.

• New time bomb set for later execution = (Month of execution + 1)

For example, if the second execution was triggered at Tuesday 13 April 2010 1422hrs, a new bomb will be set for the following month, Tuesday 13 May 2010 1422hrs.

The installed file uses the CeRunAppAtTime funtion to self-launch.

Uninstallation instructions

F-Secure products effectively delete the corresponding files, which disable the malware. However, the system changes will remain. To completely remove the malware, follow the steps provided below:

• 1. Delete these files using file explorer:
• 2. Delete the notification (windows\smart32.exe) using task manager
• 3. Delete the registry key HKEY_CURRENT_USER\Alpha\Status using registry edit
• 4. Reboot