Threat behavior
Trojan:Win32/Adialer.NAC is a trojan dialer program that connects to a premium number, potentially causing the user to be billed exorbitant amounts.
Installation
Trojan:Win32/Adialer.NAC may arrive in the system as an image file that has the following names:
- cowboy.jpg
- dals.jpg
- dal.jpg
- dual.jpg
It may create the following folders:
%CommonProgramFiles%\carlson
%CommonProgramFiles%\carlson.1
%CommonProgramFiles%\carlson.3
%CommonProgramFiles%\carlson.2
%CommonProgramFiles%\carlson.4
%CommonProgramFiles%\carlson.5
%CommonProgramFiles%\carlson.6
%CommonProgramFiles%\carlson.8
%CommonProgramFiles%\carlson.7
%CommonProgramFiles%\carlson.9
It then drops itself as the file 'carlton' under the following folders:
- %CommonProgramFiles%
- <Start Menu>
It creates the following registry subkeys and entry as part of its installation process:
Adds value: "uninstExe"
With data: "%CommonProgramFiles%\Carlson\Carlton"
Adds value: "uninstShortcut"
With data: "%CommonStartMenu%\Carlton"
Adds value: "Default"
With data: "<encrypted data>"
Adds value: "InternetProfile"
With data: "<encrypted data>"
Adds value: "price1"
With data: "<location specific>"
Adds value: "price2"
With data: "<location specific>"
Adds value: "phonenumber1"
With data: "<location specific>"
Adds value: "phonenumber2"
With data: "<location specific>"
Adds value: "cc"
With data: "<location specific>"
To subkey: HKCU\Software\Carlson\Connection\Carlton
where <location specific> is data dependent on the location of the affected system.
Adds value: "DisplayName"
With data: "Carlson Dialer"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Carlson
Payload
Dials premium number
Trojan:Win32/Adialer.NAC is a program that connects to a premium number, which may result in the user being billed exorbitant amounts.
Connects to a Web site
Trojan:Win32/Adialer.NAC attempt to connect to the Web site 'prs.payperdownload.nl' via TCP port 80. It attempts to make this connection to establish the location of the affected system and set the appropriate telephone numbers for its dialing routine.
Analysis by Marian Radu
Prevention
