Detection added	Feb 17 2009
Update released	Feb 17 2009 09:21 GMT
Description added	Mar 12 2009

• Technical details
• Payload
• Removal instructions

This Trojan calls premium rate numbers without the knowledge or consent of the user. It is a Windows PE EXE file. It is 25131 bytes in size. It is written in Delphi.

Once launched, the Trojan launches a copy of its own process and injects malicious code (detected by Kaspersky Anti-Virus as Trojan.Win32.Dialer.tvx) into this process.

This code will:

1. Get accessible modem connections on the user’s computer;
2. Download a file from the URL shown below:
   http://91.***.118.***/Dialer_Min/number.asp

This file is saved to the Windows directory as “number.txt”:

Parameters and phone numbers which will be used to make future calls are read from this file. The file will then be deleted.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete all files from %Temporary Internet Files%.
4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).