Immediate Protection Info
| Сигнатура | Product | Removal Instructions |
|---|
30.7.3717
| CA Antivirus 2007
| |
30.7.3717
| eTrust Antivirus v7/8*
| |
7.x/3717
| eTrust EZ Antivirus 7.x
| |
30.7.3717
| Vet 7
| |
Описание
Win32/Yaptaf.A is a dialer trojan for the Windows platform. It has been distributed as a 132,608 byte executable, that is packed with the 'NTkrnl Secure Suite'.
В начало
Method of Infection
When executed, Win32/Yaptaf.A copies itself to "%Common Files%\delsim\del.exe" and creates a link to this file in the Start menu called "del.lnk"
The trojan uses the following file icon:
Note: %Common Files% is a path obtained by the trojan from the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\CommonFilesDir
В начало
Payload
Dials Long Distance/Premium Rate Phone Numbers
The trojan contacts the domain "payperdownload.nl" to retrieve phone numbers which are then dialed by the trojan.
The trojan displays the following dialog box when executed:
В начало
For additional information:
The trojan creates the following registry entries so that the dialer is displayed in the "Add or Remove Programs" list in the Control Panel.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\delsim\DisplayName = "Delsim Dialer"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\delsim\UninstallString = "%Common Files%\delsim\del.exe -u"
Choosing to uninstall the dialer in this way only removes the link it creates in the Start menu. The trojan remains on the affected system.
Analysis by Amir Fouda
В начало