Updated: February 13, 2007 11:35:47 AM
Type: Dialer
Risk Impact: High
File Names: 1on1.exe; Hot_Kiss.exe; Adult_Chat.exe; Ce_XXX.exe; [RANDOM FILE NAME]
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
When Dialer.OneOnOne is executed, it performs the following actions:
- Copies itself into %Windir%\[RANDOM FILE NAME].exe. where [RANDOM FILE NAME] has been reported as:
- %Windir%\Hot_Kiss.exe
- %Windir%\Adult_Chat.exe
- %Windir%\Ce_XXX.exe
Note: %Windir% is a variable. The dialer locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- Drops a file into %Windir%\[FILE NAME]_pw.ini where [RANDOM FILE NAME] has been reported as:
- %Windir%\Hot_Kiss_pw.ini
- %Windir%\Adult_Chat_pw.ini
- %Windir%\Ce_XXX_pw.ini
- %Windir%\pcconfig.dat
- Creates a shortcut on the Windows desktop to the above executable and adds itself to the Start menu. File names have been reported to include the following:
- %UserProfile%\Desktop\Hot_Kiss.lnk
- %UserProfile%\Start Menu\Hot_Kiss.lnk
- %UserProfile%\Desktop\Adult_Chat.lnk
- %UserProfile%\Start Menu\Adult_Chat.lnk
- %UserProfile%\Desktop\Ce_XXX.lnk
- %UserProfile%\Start Menu\Ce_XXX.lnk
Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
- Adds the value:
"[FILE NAME]" = " %Windir%\[FILE NAME].exe -n"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Adds the value:
"XXXDIAL" = ""
to the registry key:
HKEY_ALL_USERS\RemoteAccess\Addresses
- May add the following registry subkey:
HKEY_ALL_USERS\Software\RemoteAccess\Profile\XXXDIAL
- Modifies the default home page in Internet Explorer.
- Adds a new RAS phonebook entry named "XXXDial" or "XXXSERVER".
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
