Dialer.Nunci

Printer Friendly Page

Updated: February 13, 2007 11:45:40 AM

Type: Dialer

Risk Impact: High

File Names: SYS.EXE snss.exe SRS9.EXE

Systems Affected: Windows 2000, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Dialer.Nunci is installed, it does the following:

Displays one of the following messages:

Title: FOTO - ANNUNCI - FILM - VIDEOCHATMessage: Per entrare premi il tasto "OK" accettando le "Condizioni del Servizio".

Title: SFONDI - LOGHI - SUONERIE - CALENDARIMessage: Per entrare premi il tasto "OK" accettando le "Condizioni del Servizio".
Copies itself using one of the following names:

%System%\Winx\SYS.EXE
%System%\Winx\SRS9.EXE

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
May drop the file %System%`\snss.exe, a component that periodically checks for dialer installation.
May create the following .lnk files, which link to the copy of the dialer executable:
- %UserProfile%\Desktop\FOTO - ANNUNCI - FILM - VIDEOCHAT.lnk
- %UserProfile%\Start Menu\Programs\FOTO - ANNUNCI - FILM - VIDEOCHAT.lnk
- %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\FOTO - ANNUNCI - FILM - VIDEOCHAT.lnk
  
  Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
Creates a dial-up connection named RENConnector. This connection is configured to connect to a high-cost number.
May add the following line to the hosts file , in order to redirect the default search page.

205.214.67.211 auto.search.msn.com
Changes the Internet Explorer home page to a Web site on the www.ricerchefacili.com domain.
Tries to contact the remote Web site www.vanitosa.com/[REMOVED]/
Adds the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \{54F7FD6E-E782-4F9F-8FF0-677090048729} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \{54F7FD6E-E782-4F9F-8FF0-677090048729}\Date HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \{54F7FD6E-E782-4F9F-8FF0-677090048729}\DisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \{54F7FD6E-E782-4F9F-8FF0-677090048729}\DisplayVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \{54F7FD6E-E782-4F9F-8FF0-677090048729}\HelpTelephone HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \{54F7FD6E-E782-4F9F-8FF0-677090048729}\Publisher HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \{54F7FD6E-E782-4F9F-8FF0-677090048729}\UninstallString HKEY_CURRENT_USER\Software\Freeware\{AC5ACED1-97DB-4A2A-81A9-ACFC8ECA1085} HKEY_CURRENT_USER\Software\Freeware\{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions \{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}\ButtonText HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions \{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}\CLSID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions \{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}\Default Visible HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions \{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}\Exec HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions \{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}\HotIcon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions \{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}\Icon HKEY_LOCAL_MACHINE\SOFTWARE\CLSID\{AE71A324-1EF2-40BC-ADDC-30FD9CF95F87}
Adds the value:

"Connector" = "%System%\Winx\[DIALER FILE NAME].EXE -n"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the dialer runs every time Windows starts.
May add the value:

"SNSS.EXE" = "%System%\snss.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}