Hot Canada

· Overview ·
· Origins ·
· Operation ·
· Detection and Removal ·
· Research ·

Overview

Summary:

 Hot Canada is a 'dialer' by nature. The loose sequence of events upon execution is as follows: After CANADA.EXE is executed, it pops up a dialog that displays a pornographic image and asks the user if they would like to go to a porn site. Meanwhile, behind the scenes... It downloads HOT_CANADA.EXE from either 208.192.120.56 and 204.177.92.205 (via HTTP/port 80). HOT_CANADA.EXE is placed in a very obvious 'dialers' folder under Program Files. HOT_CANADA.EXE then begins execution. It contacts 204.177.92.204 (via HTTP/port 80) and proceeds to download HOT_CANADAUPDATE.EXE which is placed in the root directory of the PC. HOT_CANADAUPDATE.EXE then takes over with the most interesting activity and downloads HotOrgy_ca.exe and HardcoreVideos_ca.exe. They are placed in their own directories under the now infamous 'dialers' directory. Links are placed on the desktop and start menu to these new files. HOT_CANADA.EXE at this point seems to go into an idle state; the outbound traffic was minimal and consisted of HTTP requests. HOT_CANADA.EXE did examine the registry entries for RAS, long distance dialing codes, and analog modem devices. This looks like a genuine 'dialer' program. Although CANADA.EXE appeared to be 'compacted' with PECompact, there appeared to be no serious effort to hide or obfuscate what this program and its supporting executables do.

Alias:

 archive: Embedded EXE [Kaspersky], CANADA.EXE, Dialer [Name used by Ad-aware], Dialer.Gen [Panda], Generic Dialer [McAfee]

Category:

Dialer: Software that dials a phone number. Some dialers connect to local Internet Service Providers and are beneficial as configured. Others connect to toll numbers without user awareness or permission.

Similar Pests:

 Dialer

Origins

Author:

 John Herndon

Date of Origin:

 October, 2002

Operation

Storage Required:
  • Hot Canada: at least 177 KB
    		•

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 Follow these steps to remove Hot Canada from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 April 03, 2005