surfya dialer
November 11, 2006 on 4:35 pm | In Malware analysis | 1 CommentOriginally posted Aug 17 2005, 09:03 PM
ActiveX dialer. When installed it makes these:
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\SAMPLE.EXE.
[ Changes to registry ]
* Creates key “HKLM\Software\IEACCESS”.
* Sets value “title”=”SurfYa.com” in key “HKLM\Software\IEACCESS”.
* Creates key “HKLM\Software\IEACCESS\restore”.
* Creates key “HKLM\Software\IEACCESS\restore\Start Page”.
* Sets value “value”=”about:blank” in key “HKLM\Software\IEACCESS\restore\Start Page”.
* Sets value “key”=”Software\Microsoft\Internet Explorer\Main” in key “HKLM\Software\IEACCESS\restore\Start Page”.
* Sets value “hkey”=”” in key “HKLM\Software\IEACCESS\restore\Start Page”.
* Modifies value “Start Page”=”http://community.surfya.com/” in key “HKCU\Software\Microsoft\Internet Explorer\Main”.
* Creates key “HKLM\Software\IEACCESS\restore\DefaultInternet”.
* Creates key “HKLM\Software\IEACCESS\restore\InternetProfile”.
* Sets value “value”=”MyProfile” in key “HKLM\Software\IEACCESS\restore\InternetProfile”.
* Sets value “key”=”RemoteAccess” in key “HKLM\Software\IEACCESS\restore\InternetProfile”.
* Sets value “hkey”=”” in key “HKLM\Software\IEACCESS\restore\InternetProfile”.
* Creates key “HKLM\Software\IEACCESS\restore\EnableAutodial”.
* Sets value “value”=”” in key “HKLM\Software\IEACCESS\restore\EnableAutodial”.
* Sets value “key”=”Software\Microsoft\Windows\CurrentVersion\Internet Settings” in key “HKLM\Software\IEACCESS\restore\EnableAutodial”.
* Sets value “hkey”=”” in key “HKLM\Software\IEACCESS\restore\EnableAutodial”.
* Creates value “IEACCESS”=”C:\WINDOWS\SYSTEM\SAMPLE.EXE -N” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.
[ Changes to system settings ]
* Enumerates RAS connections.
* Set dialer properties to dial () 08718731247.
Entries in log
O4 – HKLM\..\Run: [IEACCESS] C:\WINDOWS\System32\surfya.exe -N
O16 – DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} – 64.158.165.49/output/1…surfya.exe
This looks like a mix of the old IEAccess dialers from eGroup and the Derbiz Hijacker I blogged about earlier: http://www.pieter-arntz.info/wordpressblog/?p=21
1 Comment »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
Originally posted Aug 20 2005, 01:30 PM
To make it easy to remove this dialer you can use this method.
Download and unzip [url=http://www.softpedia.com/get/Tweak/Uninstallers/Brute-Force-Uninstaller.shtml]Brute Force Uninstaller[/url]
Copy the text in the CODE box below into notepad and save it as surfya.bfu
[code]ProcessKillIfContainsText \*.exe|EnableAutodial|0
FileDelete %SYSDIR%\temp532.exe
FileDelete %SYSDIR%\surfya.exe
FileDelete %DESKTOP%\SurfYa.com.lnk
FileDelete %STARTMENU%\SurfYa.com.lnk
FileDelete %STARTMENU%\Uninstall SurfYa.com.lnk
RegDeleteKey HKLM\SOFTWARE\IEACCESS
RegSetDwordValue HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings|EnableAutodial|0
RegSetDwordValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|EnableAutodial|0
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|IEACCESS
RegSetStringValue HKCU\Software\Microsoft\Internet Explorer\Main|Start Page|http://metallica.geekstogo.com/
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{30CE93AE-4987-483C-9ABE-F2BD5301AB70}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{30CE93AE-4987-483C-9ABE-F2BD5301AB70}|Compatibility Flags|1024
SystemRun RASPHONE.EXE|-r surfya.com|0[/code]
Then run BFU by doubleclicking BFU.exe and show the program where you saved surfya.bfu
Then click Execute.
All you have to do now is change your Startpage back to what you want in IE under Tools > Internet Options > on the General tab (unless you like my site so much you want to keep it 😛 )
Comment by metallica — November 11, 2006 #