Dialer.Trafficadvance

Printer Friendly Page

Updated: February 13, 2007 11:42:00 AM

Type: Dialer

Risk Impact: High

File Names: Adulti.exeMeteo.exe Diari di viaggio.exe Passe-partout.exe Patente.exe Trucchi e videogiochi.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Dialer.Trafficadvance is executed, it performs the following actions:

Copies itself as one of the following
- %Windir%\Adulti.exe
- %Windir%\Meteo.exe.
- %Windir%\Diari di viaggio.exe
- %Windir%\Passe-partout.exe
- %Windir%\Patente.exe
- %Windir%\Trucchi e videogiochi.exe
- %Windir%\Passepartout.exe
- %Windir%\Software.exe
- %Windir%\Downloaded Program Files\1004908.exe
  
  Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Creates one of the following shortcuts on the Desktop
- %UserProfile%\Desktop\Adulti.lnk
- %UserProfile%\Desktop\Meteo.lnk
- %UserProfile%\Desktop\Diari di viaggio.lnk
- %UserProfile%\Desktop\Passe-partout.lnk
- %UserProfile%\Desktop\Patente.lnk
- %UserProfile%\Desktop\Trucchi e videogiochi.lnk
- %UserProfile%\Desktop\Passepartout.lnk
- %UserProfile%\Desktop\Software.lnk
Adds the %UserProfile%\Desktop\Adulti.lnk to the Internet Favorites folder, which links to %Windir%\Adulti.exe
Adds the %UserProfile%\Desktop\Adulti.lnk to the Start Menu folder, which links to %Windir%\Adulti.exe
Creates the file C:\Adulti.lnk.
May create the following folder: %UserProfile%\Start Menu\Programs\NETVISION
Uses a modem to dial a high cost phone number.
Attempts to access a URL on the domain flat.trafficadvance.net.
Displays the following message:

Title: Connessione...

Message: Scegliere "Si" per ricaricare i propri crediti, scegliere "No" per accedere direttemente.

If yes is clicked, it displays the following message:

Title: Security Warning

Message: Warning: The authenticity of this content cannot be verified, therefore it cannot be trusted. Problem listed below: A certificate (signing or issuer) has expired.
Do you want to install and run "NETVISION [SPANISH TEXT]" signed on an unknown date/time and distributed by: CARIMA ENTERPRISES LIMITED.
Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[RANDOM CLSID] \Toolbor\Bitmap32 HKEY_CURRENT_USER\S-15-21-329068152-3082236825-839522115 \Software\Microsoft\IEAK HKEY_CURRENT_USER\S-15-21-329068152-3082236825-839522115\Software \Microsoft\Internet Connection WizardHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FFFF0003-0001-101A-A3C9-08002B2F49FB}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{FFFF0003-0001-101A-A3C9-08002B2F49FB}HKEY_CURRENT_USER\Software\NETVISION
Adds the values:"" = "C:\Programs Files\Internet Explorer\Connection Wizard\icwhelp.dll, 1" "" = "ISmartStart" "" = "IUserInfo" "" = "IICWSystemConfig" "" = "ICWhelp 1.0 Type Library"
to the registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
Adds the values:

"Quicktime Task" = "[RANDOM FILE NAME]"
"NETVISIONAdulti" = "[RANDOM FILE NAME]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds the values: "www.my-link.ws" = "" "cn.x69x.net" = ""to the registry subkey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow
Modifies the value:

"ActiveService" = "Ras Auto"
in the registry subkeys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root \Legacy_RasAuto\0000\Control HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root \Legacy_RasMan\0000\Control HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root \Legacy_TapiSrv\0000\Control

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}