Dialer.Hotstuff

Dialer.Hotstuff

Updated:
13 February 2007
Risk Impact:
Low
File Names:
hotstuff.exe hotsex.exe xxxvideo.exe ngd.dll scr1.bmp fingerprint.txt
Systems Affected:
Windows

Behavior


Dialer.Hotstuff is a dialer program that can be used to access pornographic web sites by dialing a high-cost number using a modem.

Symptoms



Your Symantec program detects Dialer.Hotstuff
A 'GO' Icon is displayed in the system tray
Hot Sex Icon is placed on the desktop
Hot Sex Icon is placed in the start menu
Hot Sex Icon is placed in the favorites folder

Behavior


The most common installation method for this dialer program is through visiting various web sites.

When Dialer.Hotstuff is executed it performs the following actions:
  1. Downloads hotsex.exe, xxxvideo.exe and ngd.dll from www.europlugin.com

  2. Creates the files:

    c:\hotsex.exe
    c:\xxxvideo.exe

  3. Stores the file, ngd.dll at C:\WINDOWS\System32


  4. Creates the registry key:

    HKEY_CLASSES_ROOT\Ngd2.ngd.1

  5. Creates the registry key:

    HKEY_CLASSES_ROOT\Ngd2.ngd

  6. Creates the registry key:

    HKEY_CLASSES_ROOT\{D8EFADF1-9009-11D6-8C73-608C5DC19089}

  7. Adds the value:

    "xxxvideo"="c:\xxxvideo.exe d"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the program starts when Windows starts.

  8. Creates the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\WebDialler

  9. Creates the registry key:

    HKEY_CURRENT_USER\Software\Microsft\Windows\CurrentVersion\Explorer\MountPoints2\{cf2f20c2-36f5-11d9-bc36-806d6172696f}

  10. Creates the folder, C:\Program Files\WebDialler

  11. Displays a dialogue box which will provide access to pornographic web sites by dialing a high-cost number.

      without uninstall procedures