Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Dialer.Kotu

Dialer.Kotu

Updated:
13 February 2007
Risk Impact:
High
File Names:
Run32dll.exe,Windial32.exe
Systems Affected:
Windows

Behavior


Dialer.Kotu is a dialer program that modifies the Remote Access Server (RAS) phone-book and Internet Connection settings. It attempts to establish a RAS connection and to use the modem to dial a predefined, high-cost phone number.

Symptoms


Your Symantec antivirus product detects Dialer.Kotu.

Behavior


Dialer.Kotu is distributed as a stand-alone executable file when you open certain HTML or CHM files. These files are detected as MHTMLRedir.Exploit . Dialer.Kotu must then be manually executed for it to run.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 25 May 2004
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 26 May 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Dialer.Kotu is executed, it performs the following actions:
  1. Adds a new RAS phone-book entry named "New Dialup Connection."
  2. Modifies the Internet Connection Settings to set it as the default connection.
  3. Attempts to dial a predefined high-cost phone number and establish a RAS connection.


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Close modem connections
  3. Run a full system scan and delete all the files detected as Dialer.Kotu.
  4. Delete the entry that was added to the RAS phone-book file.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To close modem connections
This risk uses available modems to create an Internet connection, sometimes without any visible signs. In order to successfully remove this threat, ensure that all modem-based Internet connections are disconnected before proceeding. For instructions on how to do this, consult the appropriate Internet service provider, computer manufacturer, or operating system documentation.

3. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Dialer.Kotu, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

4. To delete the added entry from the RAS phone-book file

Note: The location of the RAS phone-book file rasphone.pbk may vary and some computers may not have this file. For example, if the file exists in Windows XP, it is usually located in the C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk folder.

Follow the instructions for your operating system:
  • Windows 95/98/Me/NT/2000
    1. Click Start, point to Find or Search, and then click Files or Folders.
    2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
    3. In the "Named" or "Search for..." box, type:

      rasphone.pbk
    4. Click Find Now or Search Now.
    5. If you find rasphone.pbk, right-click the file, and then click "Open With."
    6. Deselect the "Always use this program to open this program" check box.
    7. Scroll through the list of programs and double-click Notepad.
    8. When the file opens, delete all the lines that are included in the section:

      [New Dialup Connection]
    9. Close Notepad and save your changes when prompted.

  • Windows XP
    1. Click Start, and then click Search.
    2. Click All files and folders.
    3. In the "All or part of the file name" box, type:

      rasphone.pbk
    4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
    5. Click "More advanced options."
    6. Check "Search system folders."
    7. Check "Search subfolders."
    8. Click Search.
    9. Click Find Now or Search Now.
    10. If you find rasphone.pbk file, right-click the file, and then click "Open With."
    11. Deselect the "Always use this program to open this program" check box.
    12. Scroll through the list of programs and double-click Notepad.
    13. When the file opens, delete all the lines that are included in the section:

      [New Dialup Connection]
    14. Close Notepad and save your changes when prompted.