Updated: February 13, 2007 11:34:51 AM
Type: Dialer
Version: 6.1.0.0
Risk Impact: High
File Names:
Hardcore.exe
Porn Turbo.exe
Loader.exe
comload.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Dialer.Pornpaq is executed, it does the following:
- Adds some of the following files:
- C:\Documents and Settings\Administrator\Desktop\Hardcore.exe
- C:\Documents and Settings\Administrator\Desktop\Porn Turbo.exe
- %System%\comload.dll
- Adds some of the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hardcore
HKEY_CURRENT_USER\Software\Coulomb
HKEY_CURRENT_USER\Software\Coulomb\Hardcore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Porn Turbo
HKEY_CURRENT_USER\Software\Coulomb
HKEY_CURRENT_USER\Software\Coulomb\Porn Turbo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1089BC-1AE8-4685-8D77-6721E5C318A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{19E91D82-7AD7-419F-866A-58C122DB1459}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F5F779A9-24E5-4BCD-9AE5-6313D4B5AC24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{266F948A-3DEE-4270-8F55-E79ACCD569FA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Comload.loader
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Comload.loader.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Comload.loader2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Comload.loader2.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dctl
- Creates an icon on the Windows desktop.
- A licensing agreement appears. If the user accepts the licensing agreement, the dialer will attempt to call a high-cost number using the modem.
- Attempts to connect to a pornographic Web site.
Writeup By: Ying Lin
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
