Updated: February 13, 2007 11:36:30 AM
Type: Dialer
Version: 1,0,1,4
Publisher: E-Group
Risk Impact: High
File Names:
EGDHTML_[number].dll (Where [number] is a four-digit version number.)
EGDIAL.dll
Instant Access
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Dialer.InstantAccess is activated, it performs the following actions:
- Creates the following folders:
- C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\Common
- C:\Program Files\Instant Access\Center\Exe\[yyyymmddhhmmss]\img
Note: [yyyymmddhhmmss] is a timestamp variable, where the year, month, day, hour, minute, and second when the folder was created are displayed.
- Inserts the following files:
- %System%\EGDHTML_[number].dll (Where [number] is a four-digit version number.)
- %System%\EGDIAL.dll
- %System%\mseggrpid.dl
- %Windir%\ExeDialer.exe
- C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\Instant Access.exe.
- C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\Common\show_module.php
- C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\Common\show_module.php_0.loginvis
- C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\img\ncc.ico
- C:\Program Files\Instant Access\Center\FunFunFun.lnk
Notes:
- %Windir% is a variable. The dialer locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- %System% is a variable. The dialer locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Copies FunFunFun.lnk onto the desktop.
- Creates some of the following registry keys:
- HKEY_CLASSES_ROOT\EGCOMLIB2.EGComLibrary2
- HKEY_CLASSES_ROOT\EGCOMLIB2.EGComLibrary2.1
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{2ABE804B-4D3A-41BF-A172-304627874B45}
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94742E3F-D9A1-4780-9A87-2FFA43655DA2}
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{A02780C3-7F77-4E28-855B-28890F3CF37A}
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{B843DA96-2B2D-447E-90AB-B92929AA11AF}
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDHTML.EGDialHTML
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDHTML.EGDialHTML.1
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGHTMLDialer.HTMLDialer
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGHTMLDialer.HTMLDialer.1
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDialObject.EGDial
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDialObject.EGDial.1
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{2F668A6D-2EC7-4E3A-A485-819E210738D6}
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{62BFAEC2-82A5-4117-A98B-FEA89413D924}
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{81C2F7F3-F930-455E-9AA5-0876D387C787}
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{83F0D6AA-CD15-46B5-AA4E-BDB506B4AE53}
- HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{7699AEF9-F83A-44FA-B374-AA02CEDF247D}
- HKEY_USERS\.DEFAULT\Software\EGDHTML
- Accesses predetermined Web sites and downloads advertisements, which are displayed in the browser.
- If the file is executed, Instant Access.exe will access certain content or services by dialing a high-cost telephone number.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
