||||
Symantec.com > Security Response > Threats and Risks > Dialer.SwitchDialer
PRINT THIS PAGE

Dialer.SwitchDialer

Printer Friendly Page

Updated: February 13, 2007 11:36:21 AM
Type: Dialer
Risk Impact: High
File Names: Varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Dialer.SwitchDialer is executed, it performs the following actions:
  1. Copies itself to the %System% folder using the same name as the file that was originally run on the computer.

    Note: %System% is a variable. The dialer locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds some of the following folders:

    • %ProgramFiles%\Make125
    • %ProgramFiles%\Make125\Portal
    • %ProgramFiles%\Plus18Point
    • %ProgramFiles%\Plus18Point\Portal
    • %ProgramFiles%\FirstEnter
    • %ProgramFiles%\FirstEnter\Portal
    • %ProgramFiles%\QuickPage
    • %ProgramFiles%\QuickPage\Portal

  3. Adds some of the following subkeys:

    HKEY_CLASSES_ROOT\.cxq
    HKEY_CLASSES_ROOT\.mxq
    HKEY_CLASSES_ROOT\cxqfile
    HKEY_LOCAL_MACHINE\SOFTWARE\Startportal
    HKEY_LOCAL_MACHINE\SOFTWARE\SwitchDialer
    HKEY_LOCAL_MACHINE\SOFTWARE\Make125
    HKEY_LOCAL_MACHINE\    SOFTWARE\Plus18Point
    HKEY_LOCAL_MACHINE\SOFTWARE\FirstEnter
    HKEY_LOCAL_MACHINE\SOFTWARE\QuickPage
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5CBF8C22-E9A6-11D7-90FE-000AE4012DB4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-callswitch
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Switch
  4. Adds one of the following values:

    "Diskstart" = "%System%\<filename>"
    "sVideo2" = "%System%\<filename>"
    "Quicktlme" = "%System%\<filename>"
    "Classes" = "%System%\<filename>"
    "CLSID" = "%System%\<filename>"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the dialer runs when you start Windows.

  5. Adds the value:

    "{5CBF8C22-E9A6-11D7-90FE-000AE4012DB4}" = "{5CBF8C22-E9A6-11D7-90FE-000AE4012DB4}!1,0,0,2"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\ClsidFeature

  6. Adds the value:

    "*.ffx23wl.nl" = ""

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow

  7. Adds the values:

    "TYPE34" = "application/x-callswitch"
    "application/x-callswitch" = "%System%\<filename>"

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Netscape\Netscape Navigator\Viewers

  8. Adds the value:

    "%System%\<filename>" = "Yes"

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Netscape\Netscape Navigator\User Trusted External Applications

  9. Adds the value:

    "" = "%System%\<filename>" "%1"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Classes\Classes\shell\open\command

  10. Adds the value:

    "" = "%System%\<filename>" "%1"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Javascrlpt\Classes\shell\open\command

Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS