Dialer.BaciamiStupido

Printer Friendly Page

Updated: February 13, 2007 11:47:31 AM

Type: Dialer

Risk Impact: High

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Dialer.BaciamiStupido is executed, it performs the following actions:

Copies itself as:
- %UserProfile%\Start Menu\[ORIGINAL FILE NAME]
- %UserProfile%\[ORIGINAL FILE NAME]
  
  Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
Adds the value:

"*" = "2"

to the registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\super-videochat-community.biz\www HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nanobyte.biz\wwwHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\umts-gprs-mondo-telefonino-cellulare.biz\www HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\baciamistupido.biz\www HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popup-freesex-adv.biz\www HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ricercadoppia.com\www HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\roserosse.biz\wwwHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\terzodesiderio.biz\www
Adds the values:

"1001" = "0" "1004" = "0" "1200" = "0" "1201" = "0" "1400" = "0" "1402" = "0" "1405" = "0" "1406" = "0" "1407" = "0" "1609" = "1" "1800" = "0" "1803" = "0" "CurrentLevel" = "0" "MinLevel" = "0" "RecommendedLevel" = "0"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Changes the Internet Explorer home page to www.popup-freesex-adv.biz.
Creates the following phone book:

%System%\_PHB1

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Makes an outgoing connection to the following server by dialing a high-cost number using the modem:

www.baciamistupido.biz/[REMOVED]
Downloads the following files, if the user opens Internet Explorer:

%System%\ciakaisen.exe
%System%\smallActive.dll
Adds the following value:

"ciakaisen.exe" = "%System%\ciakaisen.exe"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Adds the following values:

"%System%\ciakaisen.exe" = "1"
"%System%\smallActive.dll" = "1"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {9F5BB9E1-31AE-4A13-8734-15CED0F60A3D} HKEY_CLASSES_ROOT\CLSID\{9F5BB9E1-31AE-4A13-8734-15CED0F60A3D} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\ {8DAB5C8C-C784-4651-84F7-B6C9F4EEC53D} HKEY_CLASSES_ROOT\TypeLib\{8DAB5C8C-C784-4651-84F7-B6C9F4EEC53D} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ActiveXCOM.myActiveXCOM HKEY_CLASSES_ROOT\ActiveXCOM.myActiveXCOM HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\ Distribution Units\{9F5BB9E1-31AE-4A13-8734-15CED0F60A3D} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ModuleUsage\%System%/ciakaisen.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ModuleUsage\%System%/smallActive.dll HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\ {9F5BB9E1-31AE-4A13-8734-15CED0F60A3D} HKEY_CURRENT_USER\Software\ADWhere Component
Attempts to download other security risks and the latest version of itself.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}