Classification

Category :

Malware

Type :

Trojan

Aliases :

Wdialupd, W32/Wdialupd.Adware, PornDial-177, Dialer.Porno.J, , TROJ_WDIALUPD.A, Trojan.Win32.Dialer, Dialer

Summary

We have received several reports about this adware/downloader. The messages that the adware was distributed in, appear to have certain common characteristics.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The 'From:' field always consists of a seemingly random sequence of alphanumeric characters followed by '@yahoo.com'. In the reports we received the length of the alphanumeric string was not constant.

The 'Subject:' field looks like those from common SPAM (unsolicited email), referring to porn and other miscellaneous topics.

In all the messages the attachment names are different, they can be the following:

action.zip
adult_movies.zip
my_videos.zip
mymovie.zip
yourfreemovie.zip
 

These ZIP files contain executables that are the actual installers/downloaders of the Wdialupd alware. The names of known Wdialupd executable files are:

1714.exe
2453.exe
2702.exe
5298.exe
 

When run, the Wdialupd asks a user to select his/her location and then attempts to download and activate additional components from Internet without asking for permission.

It posts information on the users location/language to the same address from where it tries to download files, nothing confidential appears to be posted.

The address is a hardcoded IP physically situated in Spain. At the time of this writing the address is unreachable.

The Wdialupd adware is detected by F-Secure Anti-Virus as:

Security risk or a "backdoor" program
 

because of its intrusiveness and because it appears to collect information about computer users.

It is advised to delete messages with Wdialupd downloaders and avoid running their executable files.