Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Dialer.DialPlatform

Dialer.DialPlatform

Updated:
13 February 2007
Risk Impact:
High
File Names:
Loader.dll.
Systems Affected:
Windows

Behavior


Dialer.DialPlatform is a dialer program that can be used to access pornographic material by dialing a high-cost number using the modem.

Symptoms


A file is detected as Dialer.DialPlatform.

Behavior


Dialer.DialPlatform is installed when visiting pornographic Web sites.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 03 November 2019 revision 020
  • Initial Daily Certified version 31 May 2004
  • Latest Daily Certified version 04 November 2019 revision 060
  • Initial Weekly Certified release date 01 June 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

CGI scripts that are found on some pornographic Web sites call Dialer.DialPlatform.

If you go to these sites, the dialer will immediately run and use the modem to dial a high-cost number, which gives access to pornographic material.


When Dialer.DialPlatform is installed, it does the following:
  1. Creates the following files:
    • %Windir%\system\Loader.dll
    • %UserProfile%\Local Settings\Temp\[random eight letter name].exe

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

  2. Creates the registry subkeys:

    HKEY_LOCAL_MACHINE\Software\PTSSA
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Close modem connections.
  3. Run a full system scan and write down the path and file names of all the files detected as Dialer.DialPlatform.
  4. Unregister the loader.dll file.
  5. Scan for and delete the files.
  6. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To close modem connections
This risk uses available modems to create an Internet connection, sometimes without any visible signs. In order to successfully remove this threat, ensure that all modem-based Internet connections are disconnected before proceeding. For instructions on how to do this, consult the appropriate Internet service provider, computer manufacturer, or operating system documentation.

3. Recording the path to the ieloader.dll file.
  1. Start your Symantec antivirus program and run a full system scan.
  2. If any files are detected as Dialer.Dialplatform, record the path to the file.
    4. Unregistering the loader.dll file
    1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type, or copy and paste, the following text:

      regsvr32 /u <path to loader.dll>

      then click OK.

    3. If a dialog box confirming this action appears, click OK.

    5. To scan for and delete the files
    1. Start your Symantec antivirus program, and then run a full system scan.
    2. If any files are detected as Dialer.DialPlatform, click Delete.

      Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.
      5. Deleting the value from the registry
      WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

      Note: This is done to make sure all keys are removed. They may not be there if they were removed by regsvr32.

      Click Start, and then click Run. (The Run dialog box appears.)
      1. Type regedit

        Then click OK. (The Registry Editor opens.)

      2. Navigate to and delete the following keys if they exist:

        HKEY_LOCAL_MACHINE\Software\PTSSA
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F}
        HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}
      3. Exit the Registry Editor.