Content

Dialer-219

Type
Program
SubType
Dialer
Discovery Date
05/19/2004
Minimum DAT
4312 (12/31/2003)
Updated DAT
4396 (09/29/2004)
Minimum Engine
5.1.00
Description Added
04/15/2004
Description Modified
09/24/2004 4:03 AM (PT)

Tab Navigation

Characteristics

This Dialer application basically allows a user to access a International dating network called “Personals Online” where users can search partners and send messages to other members.

This malware uses social engineering techniques like disguising itself with filenames like xxx*.* or xxxmpeg*.* thereby making the user think that it is adult/porn content application.

Upon first execution

  • It deletes itself from disk  
  • It adds the following registry entry 

HKEY_USERS\.DEFAULT\Software\Netscape\Netscape Navigator\User Trusted External Applications

"%Program Files%\SCom\Dialers\XXXmpeg_fr\XXXmpeg_fr.exe" = "yes"

  • It adds the following registry entry to associate with ".mpmy"

HKEY_USERS\.DEFAULT\Software\Netscape\Netscape Navigator\Viewers "application/x-mpmy" =

"%Program Files%\SCom\Dialers\XXXmpeg_fr\XXXmpeg_fr.exe %1"

This application displays a series of banners asking the user to build his/her profile. This task is carried out by asking him/her some questions on their physique (height/weight) and lifestyle ( hair color,eye color,favorite pet,favorite kind of music,kind of places user wishes to visit on a date ) and other miscellaneous information. It has been observed through static analysis that the dialer component fails to carry out its task.

On the first execution Program Error box also appear.On subsequent executions it was found that this malware fails to execute with

"Program too bug to fit in memory" error message.

Through static analysis it has been observed that on systems with DSL connection the dialer puts “/dontdial” OPTION in the registry.

1) Cookies added to the system

  •    administrator@free.personalsonline[1].txt

2) Files added to the system

  • %Documents and Settings%\Administrator\Local Settings\Temp\wk_11.exe

3) Folders added to the system

  •    %Program Files%\scom
  •    %Program Files%\scom\dialers
  •    %Program Files%\scom\dialers\xxxmpeg_fr

4) Registry keys added to the registry

  • HKEY_CURRENT_USER\Software\SCom
  • HKEY_CURRENT_USER\Software\SCom\Dialers
  • HKEY_CURRENT_USER\Software\SCom\Dialers\XXXmpeg_fr
  • HKEY_CLASSES_ROOT\.mpmy
  • HKEY_CLASSES_ROOT\MIME\Database\Content Type\       application/x-mpmy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\XXXmpeg_fr
  • HKEY_LOCAL_MACHINE\SOFTWARE\SCom
  • HKEY_LOCAL_MACHINE\SOFTWARE\SCom\Dialers
  • HKEY_LOCAL_MACHINE\SOFTWARE\SCom\Dialers\XXXmpeg_fr

5) Registry values added to the registry

  • HKEY_CLASSES_ROOT\mpmy File\shell\open\command "(Default)" =   "%Program Files%\SCom\Dialers\XXXmpeg_fr\XXXmpeg_fr.exe %1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "XXXmpeg_fr" =  "%ProgramFiles%                         \SCom\Dialers\XXXmpeg_fr\XXXmpeg_fr.exe /dontdial"

Aliases

Aliases

  • Adware-Datei