Dialer:W32/EgroupDial

Classification

Category :

Riskware

Type :

Dialer

Summary

A program that connects the computer to the Internet via a telephone line and modem. Malicious dialers secretly connect the computer to premium-rate lines, greatly increasing the usage charges payable by the user.

Removal

Based on the settings of your F-Secure security product, it may block the file from running, move it to the quarantine where it cannot spread or cause harm, or ask you to select an action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This malware family behaves as a typical malicious dialer. It connects to premium rate numbers in order to increase its monetary gain from users of the service.& Depending on the bundled configuration, this family also provides users with access to pornographic websites.

Additional download attempts may be triggered when the dialer updates itself or when it is uninstalled. The downloaded files are typically downloaded from file hosting sites; what files are downloaded from which site will vary depending on the specific dialer installed.

It is related to Dialer:W32/InstantAccess.

Upon execution it may show an application window.

It may create files in the following location:

  • %Program Files%\Instant Access

The folder also contains a copy of the dialer program, with the filename 'instant access.exe'.

It may creates the following files:

  • %Windir%\[filename].ini - configuration file
  • %Systemdir%\[filename].exe - copy of itself
  • %Desktop%\[filename].lnk - shortcut link file to 'instant access.exe'
  • %UserProfile%\Start Menu\[filename].lnk - shortcut link file to 'instant access.exe'

It may also create various registry entries.

Registry Modifications

Creates these keys:

  • HKEY_CLASSES_ROOT\CLSID\%CLSID_Number%\LocalServer32 (Default) = "%Systemdir%\[filename].exe /run"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Instant Access = "%Systemdir%\[filename].exe /res"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access DisplayName = "Instant Access"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access UninstallString = "%Program Files%\Internet Explorer\IEXPLORE.EXE %http_uninstall_link%"
  • HKEY_CURRENT_USER\Software\EGDHTML update_script = %http_update_link% upd_com_time = %dword_value% upd_com_time_between = %dword_value%
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\%number%%random characters% = "electronic-group"