Dialer:Win32/Adialer.K is a program that attempts to connect to adult web sites via particular phone numbers without your permission. The dialer may use premium numbers to dial into these sites, resulting in an unexpectedly high phone bill. We have received reports that it has been spammed to users attached to email.
This program runs silently, so it is unlikely that you would notice it on your computer.
When executed, Adialer.K it checks for RAS (Remote Access Service) capable devices. For each device found, it retrieves the RAS phone book entry name and changes the connection information listed in the phone book. The RAS phonebook stores information that enables you to connect to remote servers via a dial-up connection. The phonebook contains all the information that might be required to make a connection, including the phone number to dial, and any other relevant details that might be necessary, such as connection properties or authentication details. By changing the properties of a connection in the phonebook, an attacker can force you to use premium charge numbers for dial-up connections. This results in high phone bills for you and income for the attacker.
After making these changes, Dialer:Win32/Adialer.K may attempt to connect to remote sites using the new connection details added to the phonebook.
Note: In order for this Dialer to successfully perform its payload, your computer would need access to a working dial-up modem connected to a phone line.
Additional information
Dialer:Win32/Adialer.K uses the following APIs in order to perform its payload:
- RasEnumDevicesA
- RasRnumCOonnectionsA
- RasEnumEntriesA
- RasDialA
- RasHangUpA
- RasSetEntryPropertiesA
- RasGetEntryPROpertiesA
Analysis by Hong Jia
