high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 23 September 2004 09:40:14 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing dialers.
More Information
Dial/Switch-B is a premium rate porn dialler. When the dialler is installed it
may attempt to dial premium rate services without the knowledge of the user.
Dial/Switch-B creates a copy of itself in the Windows system32 folder and the
following registry entry is created to run the dialler when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Classes
It will also create a folder in <Program Files>/Plus18Point which might contain
various resources used by the dialler program.
Dial/Switch-B will attempt to reduce security levels and lock down control of
Internet Explorer or Netscape by setting the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\
FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = 0
HKCU\Software\Microsoft\Internet Explorer\New Windows\Allow\
*.ffx23wl.nl
HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications
<Path to Dial/Switch-B> = "Yes"
HKCU\Software\Netscape\Netscape Navigator\Viewers\
TYPE47 = "application/x-callswitch"
HKCU\Software\Netscape\Netscape Navigator\Viewers\
application/x-callswitch = <Path to Dial/Switch-B>
It will also attempt to register a new MIME class of "application/x-callswitch"
with ".cxq" and ".mxq" extentsion by setting entries in:
HKCR\Classes\
HKCR\MIME\Database\Content Type\application/x-callswitch\
A number of registry entries are created that reference the following CLSID:
5CBF8C22-E9A6-11D7-90FE-000AE4012DB4
|
