Win32/Dialer [Threat Name] go to Threat

Win32/Dialer.NKM [Threat Variant Name]

Category trojan
Size 8613 B
Aliases Trojan.Win32.Agent.cuji (Kaspersky)
  Trojan:Win32/Stresid.C (Microsoft)
  Dialer.Trojan (Symantec)
  Win32:Dialer-gen (Avast)
Short description

Win32/Dialer.NKM is a trojan which tries to download other malware from the Internet. The file is run-time compressed using FSG .

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­%variable1%%variable2%.exe

The %variable1% is one of the following strings:

  • csr
  • ctf
  • drv
  • dsk
  • hlp
  • lsa
  • man
  • mod
  • mon
  • net
  • sql
  • srv
  • svc
  • sys
  • tsk
  • upd
  • win

A string with variable content is used instead of %variable2% .


The file is then executed.


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %system%\­%variable1%%variable2%.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%%variable2%.exe" = "%system%\­%variable1%%variable2%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%%variable2%.exe" = "%system%\­%variable1%%variable2%.exe"

This causes the trojan to be executed on every system start. The trojan executes the following command:

  • %system%\­cmd.exe /c start "" /b "%system%\­%variable1%%variable2%.exe"
Other information

The trojan contains a list of (2) URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %temp%\­nsbaaa.exe

The file is then executed. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.