Porn-Dialer.Win32.Intexdial

[casioculture]

I downloaded a small zip file from p2p and within it was an exe called
selfextract.exe. I hesitated over it, I scanned it with avast which
showed nothing, and then I thought I'd click on it.

I have prevx and it let me know that it was trying to access a file on
C drive, which I denied (vs. allow), so I think if prevx did its job
then it didn't access that file. Then I got a dialog box with a message
in German and an OK button that I closed by clicking the X button in
the top right corner and not the OK button itself. Then a fullscreen
window appeared with many language flags and something about a credit
card, payment or whatever it was that I just closed by clicking X
again.

That was it, I think.

I then submitted the file to Kaspersky online and it said I had this...


Porn-Dialer.Win32.Intexdial

Aliases
Porn-Dialer.Win32.Intexdial (Kaspersky Lab) is also known as:
Dial/Intex-A (Sophos), Dialer-182 (ClamAV), Dialer.Gen (Panda)

I used spybot search and destroy and it found nothing significant
except some ad cookies. I downloaded and ran Kaspersky and let it scan
C drive, then stopped it when it started scanning other drives and by
then it hadn't detected anything.

Any ideas?

 

[David H. Lipman]

From: <[email protected]>

|
| I downloaded a small zip file from p2p and within it was an exe called
| selfextract.exe. I hesitated over it, I scanned it with avast which
| showed nothing, and then I thought I'd click on it.
|
| I have prevx and it let me know that it was trying to access a file on
| C drive, which I denied (vs. allow), so I think if prevx did its job
| then it didn't access that file. Then I got a dialog box with a message
| in German and an OK button that I closed by clicking the X button in
| the top right corner and not the OK button itself. Then a fullscreen
| window appeared with many language flags and something about a credit
| card, payment or whatever it was that I just closed by clicking X
| again.
|
| That was it, I think.
|
| I then submitted the file to Kaspersky online and it said I had this...
|
| Porn-Dialer.Win32.Intexdial
|
| Aliases
| Porn-Dialer.Win32.Intexdial (Kaspersky Lab) is also known as:
| Dial/Intex-A (Sophos), Dialer-182 (ClamAV), Dialer.Gen (Panda)
|
| I used spybot search and destroy and it found nothing significant
| except some ad cookies. I downloaded and ran Kaspersky and let it scan
| C drive, then stopped it when it started scanning other drives and by
| then it hadn't detected anything.
|
| Any ideas?


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Art]

I downloaded a small zip file from p2p and within it was an exe called
selfextract.exe. I hesitated over it, I scanned it with avast which
showed nothing, and then I thought I'd click on it.

I have prevx and it let me know that it was trying to access a file on
C drive, which I denied (vs. allow), so I think if prevx did its job
then it didn't access that file. Then I got a dialog box with a message
in German and an OK button that I closed by clicking the X button in
the top right corner and not the OK button itself. Then a fullscreen
window appeared with many language flags and something about a credit
card, payment or whatever it was that I just closed by clicking X
again.

That was it, I think.

I then submitted the file to Kaspersky online and it said I had this...


Porn-Dialer.Win32.Intexdial

Aliases
Porn-Dialer.Win32.Intexdial (Kaspersky Lab) is also known as:
Dial/Intex-A (Sophos), Dialer-182 (ClamAV), Dialer.Gen (Panda)

I used spybot search and destroy and it found nothing significant
except some ad cookies. I downloaded and ran Kaspersky and let it scan
C drive, then stopped it when it started scanning other drives and by
then it hadn't detected anything.

Any ideas?

Yes. First of all, I assume you knew to update KAV. But its default
updating site more than likely wasn't set to download the so-called
extra defs which include detection of pornware and dialers.

My emergency download takes care of that. When you run the SFX
a updater is automatically invoked which is set at a extra defs FTP
site. THen a av program which uses the KAV scan engine is started.
You can download the emergency program here:

http://www.claymania.com/KASFX.EXE

Art

http://home.epix.net/~artnpeg

 

[casioculture]

From: <[email protected]>

* * * Please report back your results * * *

Hi Dave,

Thanks. I download this with great excitement and I like the idea a
lot. So far only ran the Sophos scan as it's the only one that worked.
It sure took its time, 400+ minutes, and found nothing. I'll have to go
into safe mode and try the trend and mcafee too because although they
downloaded their stuff they just didn't run their scans. I had already
restarted the computer, yes.

Oh, and avast said it detected a virus in the stuff trend downloaded; a
VBS:Redlof.

My question, how problematic could this dialer be? Would it steal my
passwords?

 

[David H. Lipman]

From: <[email protected]>

|
| Hi Dave,
|
| Thanks. I download this with great excitement and I like the idea a
| lot. So far only ran the Sophos scan as it's the only one that worked.
| It sure took its time, 400+ minutes, and found nothing. I'll have to go
| into safe mode and try the trend and mcafee too because although they
| downloaded their stuff they just didn't run their scans. I had already
| restarted the computer, yes.
|
| Oh, and avast said it detected a virus in the stuff trend downloaded; a
| VBS:Redlof.
|
| My question, how problematic could this dialer be? Would it steal my
| passwords?
|

Avast *stiil* falsely declares Sysclean.exe as having the VBS/Redlof ?
I thought that that was corrected by now as I haven't seen any posts about it lately. {
Sigh }
Anyway -- Its a False Positive declaration.

I think prevx did its job since you ran the Sophos scanner abnd it was cross-referenced as
"Dial/Intex-A -- Sophos" and if you were infected, Sophos would have found it.

If it was a Password Stealing Trojan it would have PWS in the name. The only way to find
out fully what it is and what it does would be to look it up virus libraries. The name(s)
imply it's only a "Dialer."

Dial/Intex-A -- Sophos
http://www.sophos.com/virusinfo/analyses/dialintexa.html

Dialer.Gen -- Panda
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=50665

You can send a sample of this infector to avast at: (e-mail address removed)
This way Avast will add a signature for it for their library.

 

[Roger Wilco]

I downloaded a small zip file from p2p and within it was an exe called
selfextract.exe. I hesitated over it, I scanned it with avast which
showed nothing, and then I thought I'd click on it.

Aside from the help others have given, have you learned what was wrong
with the above procedure?

Practices like the above are like accidents waiting to happen. No AV
will protect you from unsafe practice like that - you just got lucky
that it wasn't a worse form of malware.

 

[Gabriele Neukam]

On that special day, , ([email protected]) said...

My question, how problematic could this dialer be? Would it steal my
passwords?

Probably not. There is a (notorious) series of German programs that are
installed for only one purpose - dialling a number of the 0900
category, and cause high telephone bills. Intexus is a company
specialized in these programs and providing the respective "services".

If you enter "Intexus" into a German Google query, you will find the
homepage of the company on top, and the rest of the more than 750
entries nearly exclusively comprise complaints about said company. eg

"de.internet.com - Mehr als 41.000 Dialer von Intexus sind illegal"
translates as "more than 41k Intexus dialers are illegal" (news from
May, 23rd).

These dialer vendors are a PITA in the FRG; first they would not tell
about the price of the connection, but only advertise "download the
access progran for free", and when they were forced to display the
price per minute, they would do it light grey on dark grey, and three
pixels high.

Finally the law was changed so that one has to enter "OK" (typing it)
three times, into a large, easily visible form, before the dialer was
allowed to be installed. This toned the problem down a bit, instead
they now initiate a subscription via SMS on a daily basis, 10 EUR per
day. And "forget" to tell you that this is a subscription, not a
singular access fee.

There have been dialers which installed automatically without
notifying, and sometimes even removed themselves after having
"gathered" enough time on the expensive line.

The government decreed that any kind of "connection" that was initiated
that way, was not to be paid; but it isn't that easy to prove that you
didn't know what your computer was coaxed into doing, if 24 hours
later, the dialer makers place a different program on the same site,
that acts in a more legal way and connects to the same number. You have
to freeze your own computer and copy the contents for forensic
examination, to provide contrary evidence.

I don't know, if any of these dialers put a +49 in front of the
0190/0900 number, but if yours does, you'll find a trans atlantic call
in you phone bill.


Gabriele Neukam

(e-mail address removed)